Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths
Summary
| CVE | CVE-2026-9658 |
|---|---|
| State | PUBLISHED |
| Assigner | CPANSec |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-05-28 13:16:25 UTC |
| Updated | 2026-05-29 15:29:42 UTC |
| Description | Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths. The header injection rule was ineffective at blocking header injections in the request paths unless they were double-encoded, for example, GET /path\r\nHTTP/1.1\r\nHost: secret.example.com Note that it is unclear whether request paths with CRLF followed by additional headers would be blocked by reverse proxies, or how they would be processed by Plack-based servers. |
Risk And Classification
Problem Types: CWE-113 | CWE-790 | CWE-790 CWE-790 Improper Filtering of Special Elements | CWE-113 CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | RRWO | PlackMiddlewareSecurityCommon | affected 0.13.1 custom | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| metacpan.org/release/RRWO/Plack-Middleware-Security-Simple-v0.13.1/changes | 9b29abf9-4ab0-4765-b253-1875cd9b441e | metacpan.org | |
| www.openwall.com/lists/oss-security/2026/05/28/9 | af854a3a-2127-422b-91ae-364da2661108 | www.openwall.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Additional Advisory Data
Solutions
CNA: Upgrade to 0.13.1 or later.
Workarounds
CNA: Use with the the the non_printable_chars rule to block header injections.
There are currently no legacy QID mappings associated with this CVE.