CPANSA-Plack-Middleware-Security-Simple-2026-9658: Plack-Middleware-Security-Simple vulnerability
| Publisher | giterlizzi | Document category | csaf_security_advisory |
|---|---|---|---|
| Initial release date | 2026-05-28T00:00:00 | Engine | CSAF Perl Toolkit 0.26 |
| Current release date | 2026-05-28T00:00:00 | Build Date | |
| Current version | 1 | Status | final |
| CVSS v3.1 Base Score | 7.3 | Severity | |
| Original language | Language | en | |
| Also referred to | |||
Vulnerability Description
Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths. The header injection rule was ineffective at blocking header injections in the request paths unless they were double-encoded, for example, GET /path\r\nHTTP/1.1\r\nHost: secret.example.com Note that it is unclear whether request paths with CRLF followed by additional headers would be blocked by reverse proxies, or how they would be processed by Plack-based servers.
Vulnerabilities
CVE-2026-9658
Vulnerability DescriptionPlack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths.
The header injection rule was ineffective at blocking header injections in the request paths unless they were double-encoded, for example,
GET /path\r\nHTTP/1.1\r\nHost: secret.example.com
Note that it is unclear whether request paths with CRLF followed by additional headers would be blocked by reverse proxies, or how they would be processed by Plack-based servers.
| Weakness | CWE-113 : Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') |
|---|
Product status
Known affected
| Product | Score | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Plack-Middleware-Security-Simple less than 0.13.1 |
|
Fixed
- Plack-Middleware-Security-Simple greater than or equal 0.13.1
giterlizzi
Namespace: https://github.com/giterlizzi/
gdt@cpan.org
References
- CPANSA-Plack-Middleware-Security-Simple-2026-9658 JSON self
https://raw.githubusercontent.com/giterlizzi/perl-CPANSA-CSAF/develop/csaf/white/2026/cpansa-plack-middleware-security-simple-2026-9658.json - https://metacpan.org/release/RRWO/Plack-Middleware-Security-Simple-v0.13.1/changes external
https://metacpan.org/release/RRWO/Plack-Middleware-Security-Simple-v0.13.1/changes - http://www.openwall.com/lists/oss-security/2026/05/28/9 external
http://www.openwall.com/lists/oss-security/2026/05/28/9 - CVE-2026-9658 (NVD) external
https://nvd.nist.gov/vuln/detail/CVE-2026-9658
Revision history
| Version | Date of the revision | Summary of the revision |
|---|---|---|
| 1 | Thu May 28 00:00:00 2026 | First release |
Sharing rules
TLP:WHITE
For the TLP version see: https://www.first.org/tlp/