CPANSA-HTTP-Tiny-2026-7010: HTTP-Tiny vulnerability
| Publisher | giterlizzi | Document category | csaf_security_advisory |
|---|---|---|---|
| Initial release date | 2026-05-11T00:00:00 | Engine | CSAF Perl Toolkit 0.26 |
| Current release date | 2026-05-11T00:00:00 | Build Date | |
| Current version | 1 | Status | final |
| CVSS v3.1 Base Score | 6.5 | Severity | |
| Original language | Language | en | |
| Also referred to | |||
Vulnerability Description
HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values. The unvalidated inputs are the method and URI in the request line, the URL host that becomes the `Host:` header, and HTTP/1.1 control data field values. An attacker who controls one of these inputs, for example a user supplied URL passed to a webhook or URL fetch endpoint, can inject additional headers and smuggle requests to the upstream server.
Vulnerabilities
CVE-2026-7010
Vulnerability DescriptionHTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values.
The unvalidated inputs are the method and URI in the request line, the URL host that becomes the `Host:` header, and HTTP/1.1 control data field values.
An attacker who controls one of these inputs, for example a user supplied URL passed to a webhook or URL fetch endpoint, can inject additional headers and smuggle requests to the upstream server.
| Weakness | CWE-113 : Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') |
|---|
Product status
Known affected
| Product | Score | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| HTTP-Tiny less than 0.093 |
|
Fixed
- HTTP-Tiny greater than or equal 0.093
giterlizzi
Namespace: https://github.com/giterlizzi/
gdt@cpan.org
References
- CPANSA-HTTP-Tiny-2026-7010 JSON self
https://raw.githubusercontent.com/giterlizzi/perl-CPANSA-CSAF/develop/csaf/white/2026/cpansa-http-tiny-2026-7010.json - https://github.com/Perl-Toolchain-Gang/HTTP-Tiny/commit/d73c7651e82ace02693842df55928b6c3ae7c38d.patch external
https://github.com/Perl-Toolchain-Gang/HTTP-Tiny/commit/d73c7651e82ace02693842df55928b6c3ae7c38d.patch - https://metacpan.org/release/HAARG/HTTP-Tiny-0.093-TRIAL/changes external
https://metacpan.org/release/HAARG/HTTP-Tiny-0.093-TRIAL/changes - http://www.openwall.com/lists/oss-security/2026/05/11/17 external
http://www.openwall.com/lists/oss-security/2026/05/11/17 - CVE-2026-7010 (NVD) external
https://nvd.nist.gov/vuln/detail/CVE-2026-7010
Revision history
| Version | Date of the revision | Summary of the revision |
|---|---|---|
| 1 | Mon May 11 00:00:00 2026 | First release |
Sharing rules
TLP:WHITE
For the TLP version see: https://www.first.org/tlp/