CVE-2026-9658

Vulnerability

Plack::Middleware::Security::Common versions before 0.13.1 for Perl contain a flaw in the header_injection rule that fails to block CRLF (carriage return line feed) sequences in request paths unless they are double-encoded. This allows an attacker to inject additional HTTP headers by including \r\n followed by header lines in the request path, as in GET /path\r\nHTTP/1.1\r\nHost: secret.example.com. The vulnerability affects all versions prior to the fix [1].

Exploitation

An attacker with network access to the application can send a crafted HTTP request with CRLF sequences embedded in the request path. No authentication or special privileges are required. The attacker constructs a request path containing \r\n and additional header lines, which the middleware fails to sanitize. The effectiveness of the attack may be influenced by reverse proxy behavior, as some proxies might strip or reject such malformed requests [1].

Impact

Successful exploitation allows the attacker to inject arbitrary HTTP headers into the request as processed by the Plack-based server. This can lead to HTTP response splitting, cache poisoning, or bypassing security controls that rely on header inspection. The attacker can manipulate headers such as Host to redirect traffic or inject malicious content [1].

Mitigation

The vulnerability is fixed in version 0.13.1, released on 2026-05-26 [1]. Users should upgrade to this version immediately. No workarounds are documented, and the CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of publication.