Plack::Middleware::Security::Common versions before 0.13.1 did not properly sanitize request paths, allowing a crafted URL that contains carriage‑return and line‑feed characters to append unintended HTTP headers to the request. This flaw permits an attacker to inject arbitrary headers such as Host, Cookie, or Authorization, which can alter downstream application behavior or enable data exfiltration or session hijacking. The vulnerability is categorized as a classic HTTP header injection (CWE‑790) with an associated request smuggling concern (CWE‑113).

The vulnerability affects Perl web applications that employ the RRWO:Plack::Middleware::Security::Common module prior to release 0.13.1. All versions before 0.13.1 are considered susceptible; the fix is included in 0.13.1 and later releases.

The EPSS score of <1% and the absence of a KEV listing suggest that widespread exploitation has not yet been observed. The CVSS score of 7.3 indicates a high severity environment. An attacker can directly send a malicious request to the affected server, using the malformed path to inject headers. Because the flaw operates at the application layer, it does not require external services, and its impact on confidentiality, integrity, or availability depends on how the injected headers affect downstream processing. The potential for serious damage is moderate to high for exposed services that rely on the vulnerable middleware.