Description
Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting.

Plack::Middleware::XSendfile allows the variation setting (sendfile type) to be set by the client via the X-Sendfile-Type header, if it is not considered in the middleware constructor or the Plack environment.

A malicious client can set the X-Sendfile-Type header to "X-Accel-Redirect" to services running behind nginx reverse proxies, and then set the X-Accel-Mapping to map the path to an arbitrary file on the server.

Since 1.0053, Plack::Middleware::XSendfile is deprecated and will be removed from future releases of Plack.

This is similar to CVE-2025-61780 for Rack::Sendfile, although Plack::Middleware::XSendfile has some mitigations that disallow regular expressions to be used in the mapping, and only apply the mapping for the "X-Accel-Redirect" type.
Published: 2026-04-29
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Plack::Middleware::XSendfile permits the X‑Sendfile‑Type header to be defined by the client when the middleware is not configured to fix that value. A malicious request can therefore change the rewrite mechanism to use X‑Accel‑Redirect and supply an X‑Accel‑Mapping header that points to any location on the server’s filesystem. The result is an arbitrary file read, which exposes confidential data without authentication. The flaw corresponds to CWE‑200, CWE‑441, and CWE‑913.

Affected Systems

The issue affects any installation of the MIYAGAWA Plack::Middleware::XSendfile package up to and including version 1.0053 that is deployed within a Perl application. Systems that expose the middleware behind nginx reverse proxies are especially vulnerable if the reverse proxy does not strip client‑supplied X‑Sendfile‑Type and X‑Accel‑Mapping headers.

Risk and Exploitability

The vulnerability can be exploited via a normal HTTP request that includes forged X‑Sendfile‑Type and X‑Accel‑Mapping headers. The likely attack vector is a network request from an unauthenticated client. There are no special server conditions or privileged credentials required. The CVSS score is 9.1, the EPSS score is < 1%, and the vulnerability is not listed in the CISA KEV catalog, indicating no publicly documented large‑scale exploits so far. Nonetheless, the ability to read arbitrary files makes the risk high for confidentiality.

Generated by OpenCVE AI on May 2, 2026 at 00:33 UTC.

Remediation

Vendor Solution

Users are encouraged to set the appropriate header directly in their applications, or write their own middleware layer that does not allow configuration to be passed via HTTP request headers.

Vendor Workaround

Users can configure the X-Sendfile-Type in the middleware constructor, and the reverse proxy to unset the X-Sendfile-Type header and (on nginx) the X-Accel-Mapping request header.

OpenCVE Recommended Actions

  • Configure the application to set the X‑Sendfile‑Type header internally or replace the middleware with a version that rejects client‑supplied values.
  • Set X‑Sendfile‑Type in the middleware constructor and configure the reverse proxy to remove or sanitize X‑Sendfile‑Type and X‑Accel‑Mapping headers before forwarding requests.
  • Validate any X‑Accel‑Mapping value against a whitelist of permitted file paths to prevent unauthorized file reads.
  • Ensure the reverse proxy removes or neutralises all X‑Accel‑Mapping headers entirely, reducing the attack surface.

Generated by OpenCVE AI on May 2, 2026 at 00:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 30 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 30 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Miyagawa
Miyagawa plack::middleware::xsendfile
Vendors & Products Miyagawa
Miyagawa plack::middleware::xsendfile

Wed, 29 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Description Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting. Plack::Middleware::XSendfile allows the variation setting (sendfile type) to be set by the client via the X-Sendfile-Type header, if it is not considered in the middleware constructor or the Plack environment. A malicious client can set the X-Sendfile-Type header to "X-Accel-Redirect" to services running behind nginx reverse proxies, and then set the X-Accel-Mapping to map the path to an arbitrary file on the server. Since 1.0053, Plack::Middleware::XSendfile is deprecated and will be removed from future releases of Plack. This is similar to CVE-2025-61780 for Rack::Sendfile, although Plack::Middleware::XSendfile has some mitigations that disallow regular expressions to be used in the mapping, and only apply the mapping for the "X-Accel-Redirect" type.
Title Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting
Weaknesses CWE-200
CWE-441
CWE-913
References

Subscriptions

Miyagawa Plack::middleware::xsendfile
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-04-30T13:18:45.937Z

Reserved: 2026-04-29T07:43:55.519Z

Link: CVE-2026-7381

cve-icon Vulnrichment

Updated: 2026-04-30T13:18:39.940Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-29T23:16:19.897

Modified: 2026-04-30T15:48:26.580

Link: CVE-2026-7381

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T00:45:30Z

Weaknesses