PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-7017 HAARG CVE debrief

HTTP::Tiny versions before 0.095 for Perl contain a vulnerability that forwards credential headers to cross-origin redirect targets. When a server returns a 3xx redirect, the `_maybe_redirect` function follows the `Location:` header and `_prepare_headers_and_cb` re-merges the caller's `headers` argument into the new request without checking whether the redirect target shares an origin with the original URL. This results in caller-supplied `Authorization`, `Cookie`, and `Proxy-Authorization` headers being re-sent to the redirect target, potentially across scheme, host, or port boundaries, and including `https` to `http` downgrades that expose them in plaintext on the wire.

Vendor
HAARG
Product
HTTP::Tiny
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-07
Original CVE updated
2026-07-07
Advisory published
2026-07-07
Advisory updated
2026-07-07

Who should care

Developers and administrators using HTTP::Tiny versions before 0.095 for Perl should be aware of this vulnerability and take steps to mitigate it. This vulnerability could potentially expose sensitive credentials to unauthorized parties.

Technical summary

The HTTP::Tiny library for Perl, versions before 0.095, does not properly handle redirects when re-merging headers. Specifically, when a 3xx redirect is encountered, the library follows the redirect and re-sends the original headers, including sensitive ones like `Authorization`, `Cookie`, and `Proxy-Authorization`, to the new location. This can lead to unintended exposure of credentials, especially in cases where the redirect target is not the same origin as the original request.

Defensive priority

High

Recommended defensive actions

  • Upgrade to HTTP::Tiny version 0.095 or later
  • Review and update code that uses HTTP::Tiny to ensure proper handling of redirects and sensitive headers
  • Implement compensating controls, such as monitoring and filtering of sensitive headers
  • Consider using alternative libraries or frameworks with built-in protections for sensitive headers
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-07T19:16:55.530Z and has not been modified since then. The NVD entry is currently Received. There is limited evidence available to confirm affected scope and severity beyond vendor statements. Defenders should verify managed environments for affected product deployments, review official advisories, and plan for vendor-supported updates or mitigations. Compensating controls should be reviewed for exposed systems while remediation is scheduled and verified.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-07T19:16:55.530Z and has not been modified since then.