CVE-2026-7017: CWE-522 Insufficiently Protected Credentials in HAARG HTTP::Tiny
HTTP::Tiny versions before 0.095 for Perl forward credential headers to cross-origin redirect targets. When the server returns a 3xx redirect, `_maybe_redirect` follows the `Location:` header and `_prepare_headers_and_cb` re-merges the caller's `headers` argument into the new request, without checking whether the redirect target shares an origin with the original URL. Caller-supplied `Authorization`, `Cookie` and `Proxy-Authorization` headers are therefore re-sent to whatever host the redirect names, across scheme, host or port boundaries, and including `https` to `http` downgrades that expose them in plaintext on the wire. The HTTP::Tiny POD note that "Authorization headers will not be included in a redirected request" applied only to the URL-userinfo Basic-auth path, not to headers passed explicitly by the caller.
AI Analysis
Technical Summary
The vulnerability in HTTP::Tiny before version 0.095 arises from insufficient protection of credentials during HTTP redirects. When a server responds with a 3xx redirect, HTTP::Tiny follows the Location header and re-applies the caller's headers to the new request without origin checks. This causes Authorization, Cookie, and Proxy-Authorization headers to be sent to potentially untrusted cross-origin hosts, including insecure downgrade scenarios from HTTPS to HTTP. The module's documentation incorrectly states that Authorization headers are not included in redirected requests, but this applies only to URL-userinfo Basic-auth, not explicitly set headers.
Potential Impact
Sensitive credential headers may be leaked to unintended third-party hosts during HTTP redirects, potentially exposing authentication tokens or cookies. This can lead to credential compromise if an attacker controls or intercepts the redirect target, especially in downgrade scenarios from HTTPS to HTTP where credentials are transmitted in plaintext.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should avoid passing sensitive headers explicitly when following redirects with HTTP::Tiny or implement manual redirect handling with origin checks to prevent credential leakage.
CVE-2026-7017: CWE-522 Insufficiently Protected Credentials in HAARG HTTP::Tiny
Description
HTTP::Tiny versions before 0.095 for Perl forward credential headers to cross-origin redirect targets. When the server returns a 3xx redirect, `_maybe_redirect` follows the `Location:` header and `_prepare_headers_and_cb` re-merges the caller's `headers` argument into the new request, without checking whether the redirect target shares an origin with the original URL. Caller-supplied `Authorization`, `Cookie` and `Proxy-Authorization` headers are therefore re-sent to whatever host the redirect names, across scheme, host or port boundaries, and including `https` to `http` downgrades that expose them in plaintext on the wire. The HTTP::Tiny POD note that "Authorization headers will not be included in a redirected request" applied only to the URL-userinfo Basic-auth path, not to headers passed explicitly by the caller.
CVSS v3.1
Score 7.1high
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in HTTP::Tiny before version 0.095 arises from insufficient protection of credentials during HTTP redirects. When a server responds with a 3xx redirect, HTTP::Tiny follows the Location header and re-applies the caller's headers to the new request without origin checks. This causes Authorization, Cookie, and Proxy-Authorization headers to be sent to potentially untrusted cross-origin hosts, including insecure downgrade scenarios from HTTPS to HTTP. The module's documentation incorrectly states that Authorization headers are not included in redirected requests, but this applies only to URL-userinfo Basic-auth, not explicitly set headers.
Potential Impact
Sensitive credential headers may be leaked to unintended third-party hosts during HTTP redirects, potentially exposing authentication tokens or cookies. This can lead to credential compromise if an attacker controls or intercepts the redirect target, especially in downgrade scenarios from HTTPS to HTTP where credentials are transmitted in plaintext.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should avoid passing sensitive headers explicitly when following redirects with HTTP::Tiny or implement manual redirect handling with origin checks to prevent credential leakage.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- CPANSec
- Date Reserved
- 2026-04-25T10:30:05.190Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a4d4571c9d9e3dbe3a44f3e
Added to database: 07/07/2026, 18:29:05 UTC
Last enriched: 07/07/2026, 18:43:23 UTC
Last updated: 07/07/2026, 19:19:56 UTC
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.