CVE-2026-9658: Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths

CVE-2026-9658: Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths Robert Rothenberg 28 May 2026 11:39 UTC

========================================================================
CVE-2026-9658                                        CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-9658
   Distribution:  Plack-Middleware-Security-Simple
       Versions:  before 0.13.1

       MetaCPAN: https://metacpan.org/dist/Plack-Middleware-Security-Simple
       VCS Repo: https://github.com/robrwo/Plack-Middleware-Security-Simple

Plack::Middleware::Security::Common versions before 0.13.1 for Perl did
not block header injections in request paths

Description
-----------
Plack::Middleware::Security::Common versions before 0.13.1 for Perl did
not block header injections in request paths.

The header injection rule was ineffective at blocking header injections
in the request paths unless they were double-encoded, for example,

   GET /path\r\nHTTP/1.1\r\nHost: secret.example.com

Note that it is unclear whether request paths with CRLF followed by
additional headers would be blocked by reverse proxies, or how they
would be processed by Plack-based servers.

Problem types
-------------
- CWE-790 Improper Filtering of Special Elements
- CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers

Workarounds
-----------
Use with the the the non_printable_chars rule to block header
injections.

Solutions
---------
Upgrade to 0.13.1 or later.

References
----------
https://metacpan.org/release/RRWO/Plack-Middleware-Security-Simple-v0.13.1/changes