Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2026-7381
StatePUBLISHED
AssignerCPANSec
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-04-29 23:16:19 UTC
Updated2026-04-29 23:16:19 UTC
DescriptionPlack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting. Plack::Middleware::XSendfile allows the variation setting (sendfile type) to be set by the client via the X-Sendfile-Type header, if it is not considered in the middleware constructor or the Plack environment. A malicious client can set the X-Sendfile-Type header to "X-Accel-Redirect" to services running behind nginx reverse proxies, and then set the X-Accel-Mapping to map the path to an arbitrary file on the server. Since 1.0053, Plack::Middleware::XSendfile is deprecated and will be removed from future releases of Plack. This is similar to CVE-2025-61780 for Rack::Sendfile, although Plack::Middleware::XSendfile has some mitigations that disallow regular expressions to be used in the mapping, and only apply the mapping for the "X-Accel-Redirect" type.

Risk And Classification

Problem Types: CWE-200 | CWE-441 | CWE-913 | CWE-200 CWE-200 Exposure of Sensitive Information to an Unauthorized Actor | CWE-441 CWE-441 Unintended Proxy or Intermediary | CWE-913 CWE-913 Improper Control of Dynamically-Managed Code Resources

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA MIYAGAWA PlackMiddlewareXSendfile affected 1.0053 custom Not specified

References

ReferenceSourceLinkTags
metacpan.org/release/MIYAGAWA/Plack-1.0053/view/lib/Plack/Middleware/XSend... 9b29abf9-4ab0-4765-b253-1875cd9b441e metacpan.org
metacpan.org/release/MIYAGAWA/Plack-1.0053/changes 9b29abf9-4ab0-4765-b253-1875cd9b441e metacpan.org
nvd.nist.gov/vuln/detail/CVE-2025-61780 9b29abf9-4ab0-4765-b253-1875cd9b441e nvd.nist.gov
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Vendor Comments And Credit

Discovery Credit

CNA: CPANSec (en)

Additional Advisory Data

SourceTimeEvent
CNA2025-10-10T00:00:00.000ZIssue for Rack::Sendfile reported
CNA2026-04-27T00:00:00.000ZIssue reported to maintainer of Plack
CNA2025-04-28T00:00:00.000ZPlack 1.0052 released with improved security documentation in Plack::Middleware::XSendfile
CNA2025-04-29T00:00:00.000ZPlack 1.0053 released that deprecates Plack::Middleware::XSendfile

Solutions

CNA: Users are encouraged to set the appropriate header directly in their applications, or write their own middleware layer that does not allow configuration to be passed via HTTP request headers.

Workarounds

CNA: Users can configure the X-Sendfile-Type in the middleware constructor, and the reverse proxy to unset the X-Sendfile-Type header and (on nginx) the X-Accel-Mapping request header.

© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report