External risk intelligence

Attacker can rewrite file paths to gain control of your server.

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-7381

A critical flaw in Plack::Middleware::XSendfile lets attackers read any file on your server by tricking it into rewriting paths, potentially exposing sensitive data from internet-facing web applications.

4Halo Surface Signal

Information Disclosure

Miyagawa Plack\

1.0053 and earlier

External exposure likelihood

Halo Surface Signal score for CVE-2026-7381

This middleware is used by web applications to handle static file serving. These applications are routinely deployed behind reverse proxies like Nginx to serve public HTTP traffic. Because the vulnerability is triggered by standard HTTP request headers processed by the web server/application stack, the attack surface is exposed wherever the web application is accessible to the public internet.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability exists in Plack::Middleware::XSendfile that could allow a malicious client to rewrite file paths. This means that if your web application uses this middleware, an attacker could potentially trick it into serving unintended files from your server.

  • Allows attackers to read arbitrary files.
  • High impact on data confidentiality.
  • Affects applications using Perl and Plack::Middleware::XSendfile.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this flaw by sending a specially crafted HTTP request to a web application using the vulnerable Plack::Middleware::XSendfile. The attacker will manipulate the `X-Sendfile-Type` and `X-Sendfile-Mapping` headers to trick the middleware into revealing arbitrary files on the server, likely through a reverse proxy configuration like Nginx.

  • Client sends HTTP request.
  • `X-Sendfile-Type` header abused.
  • Arbitrary file read achieved.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows for arbitrary file access through path rewriting, a capability that is highly attractive to attackers. While this specific middleware is deprecated, its functionality in handling file serving within Perl applications means it could be present in older, unpatched systems. The public availability of details and its similarity to a previous vulnerability suggest that exploitation could be straightforward for those targeting Perl-based web services.

  • Public exploit details exist.
  • Middleware is deprecated.
  • Exploitation is similar to a past CVE.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize investigating and mitigating Plack::Middleware::XSendfile versions through 1.0053, as they are critically vulnerable to path traversal. The middleware's deprecation and removal in future versions indicate it should be disabled or replaced.

  • Block requests with suspicious X-Sendfile-Type headers.
  • Update to a non-vulnerable Plack version.
  • Monitor for unexpected file access patterns.

Frequently asked questions

What is Plack::Middleware::XSendfile and how is it used?

Plack::Middleware::XSendfile is a component used in Perl web applications that helps manage how static files are served. It allows applications to offload the task of sending files directly to the web server, which can improve performance.

What is the weakness in Plack::Middleware::XSendfile (CVE-2026-7381)?

The weakness, classified as CWE-441 (Improper Access Control) and CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), allows a client to control file paths. This means an attacker could trick the middleware into revealing or serving unintended files from the server.

How can an attacker exploit Plack::Middleware::XSendfile?

An attacker can exploit this by sending a specially crafted HTTP request that manipulates the `X-Sendfile-Type` and `X-Sendfile-Mapping` headers. This can cause the middleware to redirect to, or serve, an arbitrary file on the server, especially when used with reverse proxies like Nginx.

Who should be concerned about this vulnerability?

Organizations running web applications that use Plack::Middleware::XSendfile versions up to 1.0053 should be concerned. Since these applications often serve public internet traffic, the attack surface is considered external and likely exposed.

What is the first step to address this CVE?

The Plack::Middleware::XSendfile is deprecated and slated for removal. The recommended first step is to disable or replace this middleware in your Perl web applications to prevent exploitation.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified