PatchSiren cyber security CVE debrief
CVE-2026-7017 HAARG CVE debrief
HTTP::Tiny versions before 0.095 for Perl contain a vulnerability that forwards credential headers to cross-origin redirect targets. When a server returns a 3xx redirect, the `_maybe_redirect` function follows the `Location:` header and `_prepare_headers_and_cb` re-merges the caller's `headers` argument into the new request without checking whether the redirect target shares an origin with the original URL. This results in caller-supplied `Authorization`, `Cookie`, and `Proxy-Authorization` headers being re-sent to the redirect target, potentially across scheme, host, or port boundaries, and including `https` to `http` downgrades that expose them in plaintext on the wire.
- Vendor
- HAARG
- Product
- HTTP::Tiny
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-07
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-07
- Advisory updated
- 2026-07-07
Who should care
Developers and administrators using HTTP::Tiny versions before 0.095 for Perl should be aware of this vulnerability and take steps to mitigate it. This vulnerability could potentially expose sensitive credentials to unauthorized parties.
Technical summary
The HTTP::Tiny library for Perl, versions before 0.095, does not properly handle redirects when re-merging headers. Specifically, when a 3xx redirect is encountered, the library follows the redirect and re-sends the original headers, including sensitive ones like `Authorization`, `Cookie`, and `Proxy-Authorization`, to the new location. This can lead to unintended exposure of credentials, especially in cases where the redirect target is not the same origin as the original request.
Defensive priority
High
Recommended defensive actions
- Upgrade to HTTP::Tiny version 0.095 or later
- Review and update code that uses HTTP::Tiny to ensure proper handling of redirects and sensitive headers
- Implement compensating controls, such as monitoring and filtering of sensitive headers
- Consider using alternative libraries or frameworks with built-in protections for sensitive headers
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-07T19:16:55.530Z and has not been modified since then. The NVD entry is currently Received. There is limited evidence available to confirm affected scope and severity beyond vendor statements. Defenders should verify managed environments for affected product deployments, review official advisories, and plan for vendor-supported updates or mitigations. Compensating controls should be reviewed for exposed systems while remediation is scheduled and verified.
Official resources
-
CVE-2026-7017 CVE record
CVE.org
-
CVE-2026-7017 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
9b29abf9-4ab0-4765-b253-1875cd9b441e
-
Source reference
9b29abf9-4ab0-4765-b253-1875cd9b441e
-
Source reference
9b29abf9-4ab0-4765-b253-1875cd9b441e
-
Source reference
9b29abf9-4ab0-4765-b253-1875cd9b441e
-
Source reference
9b29abf9-4ab0-4765-b253-1875cd9b441e
-
Source reference
af854a3a-2127-422b-91ae-364da2661108
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-07T19:16:55.530Z and has not been modified since then.