Bug#1138858: HTTP-Tiny: CVE-2026-7010
Niko Tyni
ntyni at debian.org
Thu Jun 4 20:52:46 BST 2026
Package: perl
Version: 5.40.1-6
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, libhttp-tiny-perl at packages.debian.org
Forwarded: https://github.com/Perl-Toolchain-Gang/HTTP-Tiny/commit/d73c7651e82ace02693842df55928b6c3ae7c38d
Control: found -1 5.32.1-4
Control: found -1 5.36.0-1
Control: found -1 5.42.2-1
The following vulnerability was published[0] for HTTP-Tiny:
CVE ID: CVE-2026-7010
Distribution: HTTP-Tiny
Versions: before 0.093
MetaCPAN: https://metacpan.org/dist/HTTP-Tiny
VCS Repo: https://github.com/Perl-Toolchain-Gang/HTTP-Tiny
HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP
request lines or control field header values.
The unvalidated inputs are the method and URI in the request line, the
URL host that becomes the `Host:` header, and HTTP/1.1 control data
field values.
An attacker who controls one of these inputs, for example a user
supplied URL passed to a webhook or URL fetch endpoint, can inject
additional headers and smuggle requests to the upstream server.
This CPAN module is shipped in both libhttp-tiny-perl and perl. The
libhttp-tiny-perl package was already fixed for sid + forky in version
0.092-2. The issue is marked as no-dsa in the security tracker [1].
Copying the libhttp-tiny-perl maintainers, and Salvatore for his security
hat. I suppose we can manage without a separate libhttp-tiny-perl bug
at this point, but feel free to clone one if it helps.
[0] https://lists.security.metacpan.org/cve-announce/msg/39952806/
[1] https://security-tracker.debian.org/tracker/CVE-2026-7010
--
Niko Tyni ntyni at debian.org
More information about the Perl-maintainers
mailing list