/ 
CGI-Simple-1.113
Security Advisories (1)
CVE-2025-40927 (2025-08-29)

CGI::Simple versions before 1.282 for Perl has a HTTP response splitting flaw This vulnerability is a confirmed HTTP response splitting flaw in CGI::Simple that allows HTTP response header injection, which can be used for reflected XSS or open redirect under certain conditions. Although some validation exists, it can be bypassed using URL-encoded values, allowing an attacker to inject untrusted content into the response via query parameters. As a result, an attacker can inject a line break (e.g. %0A) into the parameter value, causing the server to split the HTTP response and inject arbitrary headers or even an HTML/JavaScript body, leading to reflected cross-site scripting (XSS), open redirect or other attacks. The issue documented in CVE-2010-4410 https://www.cve.org/CVERecord?id=CVE-2010-4410 is related but the fix was incomplete. Impact By injecting %0A (newline) into a query string parameter, an attacker can: * Break the current HTTP header * Inject a new header or entire body * Deliver a script payload that is reflected in the server’s response That can lead to the following attacks: * reflected XSS * open redirect * cache poisoning * header manipulation

Changes for version 1.113 - 2010-12-27

  • (thanks to Yamada Masahiro) randomise multipart boundary string (security).
  • Numerous changes from Mark Stosberg:
    • Port max-age support from CGI.pm, to improve compatibility and RFC-compliance
    • Correct header comment in cookie.t
    • It claims that is a simple copy/paste/modify from CGI.pm's test by the same name, but this has not been true for some time-- CGI::Simple added
    • httponly tests that CGI.pm lacks, for example.
    • Sync cookie references with CGI.pm: add reference to the newer RFC 2695
    • "Interface to browse cookies" looks like it was typo for "browser". HTTP is more precise.
    • Fix awkward "CGI::Simple.pm" language. It looks like it probably originated from the CGI.pm form. "CGI::Simple" is used instead.
    • Best Practice: eliminate indirect object notation from new(), parse() and fetch() calls
    • Security: Fix handling of embedded malicious newlines in header values This is a direct port of the same security fix that
    • Security: use a random MIME boundary by default in multipart_init(). This is a direct port of the same issue which was addressed in CGI.pm, preventing some kinds of potential header injection attacks.
    • Port from CGI.pm: Fix multi-line header parsing. This fix is covered by the tests in t/header.t added in the previous patch. If you run those tests without this patch, you'll see how the headers would be malformed without this fix.
    • Port CRLF injection prevention from CGI.pm
    • Optimize Vars(): Don't build %hash if we aren't going to use it.
    • Micro-optimization to Vars(): Don't call "tie" unless we need to.
  • Numerous changes from K. Berov:
    • Added "+" to the mime character class.
    • Added tests for C<$mime = $q->upload_info( $filename, 'mime' );>
    • Fixed wrong match for mimetypes. Example: matched only 'application/vnd' instead of 'application/vnd.ms-excel'.
    • Added "\." to the mime character class

Modules

CGI::Simple
A Simple totally OO CGI interface that is CGI.pm compliant
CGI::Simple::Cookie
Interface to HTTP cookies
CGI::Simple::Standard
a wrapper module for CGI::Simple that provides a function style interface
CGI::Simple::Util
Internal utilities used by CGI::Simple module

Other files