Plack::Middleware::Security::Common versions prior to 0.13.1 failed to sanitize request paths, allowing a crafted URL that contains carriage‑return and line‑feed characters to append unintended HTTP headers to the request. This flaw enables an attacker to inject arbitrary headers such as Host, Cookie, or Authorization, potentially altering the behavior of downstream services or facilitating data exfiltration or session hijacking. The vulnerability is a classic HTTP header injection (CWE‑790) with an associated request smuggling concern (CWE‑113).

The issue affects Perl web applications that use the Plack::Middleware::Security::Common module before update to 0.13.1. Any site or service running a vulnerable instance of this middleware—commonly found in Plack or Catalyst applications—could be compromised if the module is not upgraded. All versions of the module prior to release 0.13.1 are considered susceptible; newer releases contain a fix that properly blocks header injections.

No EPSS score is reported and the vulnerability is not listed in the CISA KEV catalog, indicating no known widespread exploitation. Nonetheless, a direct attacker can send a malicious request to the affected server, using the malformed path to inject headers. Because the flaw operates at the application level, the attack does not depend on external services, and its impact on confidentiality, integrity, or availability depends on how the injected headers affect downstream processing. The potential for serious damage is significant if the application forwards the request to an internal service, making the risk moderate to high for exposed services that rely on the vulnerable middleware.