CVE-2025-40927

{"id": "CVE-2025-40927", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 3.9}]}, "published": "2025-08-29T01:15:34.553", "references": [{"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2320", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "https://datatracker.ietf.org/doc/html/rfc7230#section-3", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "https://metacpan.org/release/MANWAR/CGI-Simple-1.281/diff/MANWAR/CGI-Simple-1.282/lib/CGI/Simple.pm", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "https://metacpan.org/release/MANWAR/CGI-Simple-1.281/source/lib/CGI/Simple.pm#L1031-1035", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "https://owasp.org/www-community/attacks/HTTP_Response_Splitting", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "https://rt.perl.org/Public/Bug/Display.html?id=21951", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "description": [{"lang": "en", "value": "CWE-113"}]}], "descriptions": [{"lang": "en", "value": "CGI::Simple versions before 1.282 for Perl has a HTTP response splitting flaw\nThis vulnerability is a confirmed HTTP response splitting\u00a0flaw in CGI::Simple\u00a0that allows HTTP response header injection, which can be used for reflected XSS or open redirect under certain conditions.\n\nAlthough some validation exists, it can be bypassed using URL-encoded values, allowing an attacker to inject untrusted content into the response via query parameters.\n\n\n\nAs a result, an attacker can inject a line break (e.g. %0A) into the parameter value, causing the server to split the HTTP response and inject arbitrary headers or even an HTML/JavaScript body, leading to reflected cross-site scripting (XSS), open redirect or other attacks.\n\nThe issue documented in CVE-2010-4410 https://www.cve.org/CVERecord?id=CVE-2010-4410 is related but the fix was incomplete.\n\nImpact\n\nBy injecting %0A\u00a0(newline) into a query string parameter, an attacker can:\n\n * Break the current HTTP header\n * Inject a new header or entire body\n * Deliver a script payload that is reflected in the server\u2019s response\nThat can lead to the following attacks:\n\n * reflected XSS\n * open redirect\n * cache poisoning\n * header manipulation"}], "lastModified": "2025-08-29T16:24:29.730", "sourceIdentifier": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}