NIXPKGS-2026-1291

GitHub issue published on

Permalink CVE-2026-7381

updated 3 hours ago by @LeSuisse Activity log

Created suggestion 8 hours ago
@LeSuisse ignored
52 packages
- perlPackages.TaskPlack
- perl5Packages.TaskPlack
- perl538Packages.TaskPlack
- perl540Packages.TaskPlack
- perlPackages.PlackAppProxy
- perl5Packages.PlackAppProxy
- perl538Packages.PlackAppProxy
- perl540Packages.PlackAppProxy
- perlPackages.PlackMiddlewareDebug
- perl5Packages.PlackMiddlewareDebug
- perlPackages.PlackMiddlewareHeader
- perl5Packages.PlackMiddlewareHeader
- perlPackages.PlackMiddlewareSession
- perl538Packages.PlackMiddlewareDebug
- perl540Packages.PlackMiddlewareDebug
- perl5Packages.PlackMiddlewareSession
- perlPackages.PlackMiddlewareDeflater
- perlPackages.PlackTestExternalServer
- perl538Packages.PlackMiddlewareHeader
- perl540Packages.PlackMiddlewareHeader
- perl5Packages.PlackMiddlewareDeflater
- perl5Packages.PlackTestExternalServer
- perl538Packages.PlackMiddlewareSession
- perl540Packages.PlackMiddlewareSession
- perlPackages.PlackMiddlewareAuthDigest
- perl538Packages.PlackMiddlewareDeflater
- perl538Packages.PlackTestExternalServer
- perl540Packages.PlackMiddlewareDeflater
- perl540Packages.PlackTestExternalServer
- perl5Packages.PlackMiddlewareAuthDigest
- perlPackages.PlackMiddlewareReverseProxy
- perl538Packages.PlackMiddlewareAuthDigest
- perl540Packages.PlackMiddlewareAuthDigest
- perl5Packages.PlackMiddlewareReverseProxy
- perlPackages.PlackMiddlewareConsoleLogger
- perl5Packages.PlackMiddlewareConsoleLogger
- perlPackages.PlackMiddlewareMethodOverride
- perl538Packages.PlackMiddlewareReverseProxy
- perl540Packages.PlackMiddlewareReverseProxy
- perl5Packages.PlackMiddlewareMethodOverride
- perl538Packages.PlackMiddlewareConsoleLogger
- perl540Packages.PlackMiddlewareConsoleLogger
- perl538Packages.PlackMiddlewareMethodOverride
- perl540Packages.PlackMiddlewareMethodOverride
- perlPackages.PlackMiddlewareRemoveRedundantBody
- perl5Packages.PlackMiddlewareRemoveRedundantBody
- perl538Packages.PlackMiddlewareRemoveRedundantBody
- perl540Packages.PlackMiddlewareRemoveRedundantBody
- perlPackages.PlackMiddlewareFixMissingBodyInRedirect
- perl5Packages.PlackMiddlewareFixMissingBodyInRedirect
- perl538Packages.PlackMiddlewareFixMissingBodyInRedirect
- perl540Packages.PlackMiddlewareFixMissingBodyInRedirect
3 hours ago
@LeSuisse ignored reference https://n… 3 hours ago
@LeSuisse accepted 3 hours ago
@LeSuisse published on GitHub 3 hours ago

Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting

Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting. Plack::Middleware::XSendfile allows the variation setting (sendfile type) to be set by the client via the X-Sendfile-Type header, if it is not considered in the middleware constructor or the Plack environment. A malicious client can set the X-Sendfile-Type header to "X-Accel-Redirect" to services running behind nginx reverse proxies, and then set the X-Accel-Mapping to map the path to an arbitrary file on the server. Since 1.0053, Plack::Middleware::XSendfile is deprecated and will be removed from future releases of Plack. This is similar to CVE-2025-61780 for Rack::Sendfile, although Plack::Middleware::XSendfile has some mitigations that disallow regular expressions to be used in the mapping, and only apply the mapping for the "X-Accel-Redirect" type.

References

https://metacpan.org/release/MIYAGAWA/Plack-1.0053/changes release-notes
https://metacpan.org/release/MIYAGAWA/Plack-1.0053/view/lib/Plack/Middleware/XS… technical-description

Ignored references (1)

https://nvd.nist.gov/vuln/detail/CVE-2025-61780 related

Affected products

Plack

=<1.0053

Matching in nixpkgs

pkgs.perlPackages.Plack

Perl Superglue for Web frameworks and Web Servers (PSGI toolkit)

nixos-unstable 1.0050
- nixpkgs-unstable 1.0050
- nixos-unstable-small 1.0050
nixos-25.11 1.0050
- nixos-25.11-small 1.0050
- nixpkgs-25.11-darwin 1.0050

pkgs.perl5Packages.Plack

Perl Superglue for Web frameworks and Web Servers (PSGI toolkit)

nixos-unstable 1.0050
- nixpkgs-unstable 1.0050
- nixos-unstable-small 1.0050

pkgs.perl538Packages.Plack

Perl Superglue for Web frameworks and Web Servers (PSGI toolkit)

nixos-25.11 1.0050
- nixos-25.11-small 1.0050
- nixpkgs-25.11-darwin 1.0050

pkgs.perl540Packages.Plack

Perl Superglue for Web frameworks and Web Servers (PSGI toolkit)

nixos-25.11 1.0050
- nixos-25.11-small 1.0050
- nixpkgs-25.11-darwin 1.0050

Ignored packages (52)

pkgs.perlPackages.TaskPlack

Plack bundle

nixos-unstable 0.28
- nixpkgs-unstable 0.28
- nixos-unstable-small 0.28
nixos-25.11 0.28
- nixos-25.11-small 0.28
- nixpkgs-25.11-darwin 0.28

pkgs.perl5Packages.TaskPlack

Plack bundle

nixos-unstable 0.28
- nixpkgs-unstable 0.28
- nixos-unstable-small 0.28

pkgs.perl538Packages.TaskPlack

Plack bundle

nixos-25.11 0.28
- nixos-25.11-small 0.28
- nixpkgs-25.11-darwin 0.28

pkgs.perl540Packages.TaskPlack

Plack bundle

nixos-25.11 0.28
- nixos-25.11-small 0.28
- nixpkgs-25.11-darwin 0.28

pkgs.perlPackages.PlackAppProxy

Proxy requests

nixos-unstable 0.29
- nixpkgs-unstable 0.29
- nixos-unstable-small 0.29
nixos-25.11 0.29
- nixos-25.11-small 0.29
- nixpkgs-25.11-darwin 0.29

pkgs.perl5Packages.PlackAppProxy

Proxy requests

nixos-unstable 0.29
- nixpkgs-unstable 0.29
- nixos-unstable-small 0.29

pkgs.perl538Packages.PlackAppProxy

Proxy requests

nixos-25.11 0.29
- nixos-25.11-small 0.29
- nixpkgs-25.11-darwin 0.29

pkgs.perl540Packages.PlackAppProxy

Proxy requests

nixos-25.11 0.29
- nixos-25.11-small 0.29
- nixpkgs-25.11-darwin 0.29

pkgs.perlPackages.PlackMiddlewareDebug

Display information about the current request/response

nixos-unstable 0.18
- nixpkgs-unstable 0.18
- nixos-unstable-small 0.18
nixos-25.11 0.18
- nixos-25.11-small 0.18
- nixpkgs-25.11-darwin 0.18

pkgs.perl5Packages.PlackMiddlewareDebug

Display information about the current request/response

nixos-unstable 0.18
- nixpkgs-unstable 0.18
- nixos-unstable-small 0.18

pkgs.perlPackages.PlackMiddlewareHeader

Modify HTTP response headers

nixos-unstable 0.04
- nixpkgs-unstable 0.04
- nixos-unstable-small 0.04
nixos-25.11 0.04
- nixos-25.11-small 0.04
- nixpkgs-25.11-darwin 0.04

pkgs.perl5Packages.PlackMiddlewareHeader

Modify HTTP response headers

nixos-unstable 0.04
- nixpkgs-unstable 0.04
- nixos-unstable-small 0.04

pkgs.perlPackages.PlackMiddlewareSession

Middleware for session management

nixos-unstable 0.33
- nixpkgs-unstable 0.33
- nixos-unstable-small 0.33
nixos-25.11 0.33
- nixos-25.11-small 0.33
- nixpkgs-25.11-darwin 0.33

pkgs.perl538Packages.PlackMiddlewareDebug

Display information about the current request/response

nixos-25.11 0.18
- nixos-25.11-small 0.18
- nixpkgs-25.11-darwin 0.18

pkgs.perl540Packages.PlackMiddlewareDebug

Display information about the current request/response

nixos-25.11 0.18
- nixos-25.11-small 0.18
- nixpkgs-25.11-darwin 0.18

pkgs.perl5Packages.PlackMiddlewareSession

Middleware for session management

nixos-unstable 0.33
- nixpkgs-unstable 0.33
- nixos-unstable-small 0.33

pkgs.perlPackages.PlackMiddlewareDeflater

Compress response body with Gzip or Deflate

nixos-unstable 0.12
- nixpkgs-unstable 0.12
- nixos-unstable-small 0.12
nixos-25.11 0.12
- nixos-25.11-small 0.12
- nixpkgs-25.11-darwin 0.12

pkgs.perlPackages.PlackTestExternalServer

Run HTTP tests on external live servers

nixos-unstable 0.02
- nixpkgs-unstable 0.02
- nixos-unstable-small 0.02
nixos-25.11 0.02
- nixos-25.11-small 0.02
- nixpkgs-25.11-darwin 0.02

pkgs.perl538Packages.PlackMiddlewareHeader

Modify HTTP response headers

nixos-25.11 0.04
- nixos-25.11-small 0.04
- nixpkgs-25.11-darwin 0.04

pkgs.perl540Packages.PlackMiddlewareHeader

Modify HTTP response headers

nixos-25.11 0.04
- nixos-25.11-small 0.04
- nixpkgs-25.11-darwin 0.04

pkgs.perl5Packages.PlackMiddlewareDeflater

Compress response body with Gzip or Deflate

nixos-unstable 0.12
- nixpkgs-unstable 0.12
- nixos-unstable-small 0.12

pkgs.perl5Packages.PlackTestExternalServer

Run HTTP tests on external live servers

nixos-unstable 0.02
- nixpkgs-unstable 0.02
- nixos-unstable-small 0.02

pkgs.perl538Packages.PlackMiddlewareSession

Middleware for session management

nixos-25.11 0.33
- nixos-25.11-small 0.33
- nixpkgs-25.11-darwin 0.33

pkgs.perl540Packages.PlackMiddlewareSession

Middleware for session management

nixos-25.11 0.33
- nixos-25.11-small 0.33
- nixpkgs-25.11-darwin 0.33

pkgs.perlPackages.PlackMiddlewareAuthDigest

Digest authentication

nixos-unstable 0.05
- nixpkgs-unstable 0.05
- nixos-unstable-small 0.05
nixos-25.11 0.05
- nixos-25.11-small 0.05
- nixpkgs-25.11-darwin 0.05

pkgs.perl538Packages.PlackMiddlewareDeflater

Compress response body with Gzip or Deflate

nixos-25.11 0.12
- nixos-25.11-small 0.12
- nixpkgs-25.11-darwin 0.12

pkgs.perl538Packages.PlackTestExternalServer

Run HTTP tests on external live servers

nixos-25.11 0.02
- nixos-25.11-small 0.02
- nixpkgs-25.11-darwin 0.02

pkgs.perl540Packages.PlackMiddlewareDeflater

Compress response body with Gzip or Deflate

nixos-25.11 0.12
- nixos-25.11-small 0.12
- nixpkgs-25.11-darwin 0.12

pkgs.perl540Packages.PlackTestExternalServer

Run HTTP tests on external live servers

nixos-25.11 0.02
- nixos-25.11-small 0.02
- nixpkgs-25.11-darwin 0.02

pkgs.perl5Packages.PlackMiddlewareAuthDigest

Digest authentication

nixos-unstable 0.05
- nixpkgs-unstable 0.05
- nixos-unstable-small 0.05

pkgs.perlPackages.PlackMiddlewareReverseProxy

Supports app to run as a reverse proxy backend

nixos-unstable 0.16
- nixpkgs-unstable 0.16
- nixos-unstable-small 0.16
nixos-25.11 0.16
- nixos-25.11-small 0.16
- nixpkgs-25.11-darwin 0.16

pkgs.perl538Packages.PlackMiddlewareAuthDigest

Digest authentication

nixos-25.11 0.05
- nixos-25.11-small 0.05
- nixpkgs-25.11-darwin 0.05

pkgs.perl540Packages.PlackMiddlewareAuthDigest

Digest authentication

nixos-25.11 0.05
- nixos-25.11-small 0.05
- nixpkgs-25.11-darwin 0.05

pkgs.perl5Packages.PlackMiddlewareReverseProxy

Supports app to run as a reverse proxy backend

nixos-unstable 0.16
- nixpkgs-unstable 0.16
- nixos-unstable-small 0.16

pkgs.perlPackages.PlackMiddlewareConsoleLogger

Write logs to Firebug or Webkit Inspector

nixos-unstable 0.05
- nixpkgs-unstable 0.05
- nixos-unstable-small 0.05
nixos-25.11 0.05
- nixos-25.11-small 0.05
- nixpkgs-25.11-darwin 0.05

pkgs.perl5Packages.PlackMiddlewareConsoleLogger

Write logs to Firebug or Webkit Inspector

nixos-unstable 0.05
- nixpkgs-unstable 0.05
- nixos-unstable-small 0.05

pkgs.perlPackages.PlackMiddlewareMethodOverride

Override REST methods to Plack apps via POST

nixos-unstable 0.20
- nixpkgs-unstable 0.20
- nixos-unstable-small 0.20
nixos-25.11 0.20
- nixos-25.11-small 0.20
- nixpkgs-25.11-darwin 0.20

pkgs.perl538Packages.PlackMiddlewareReverseProxy

Supports app to run as a reverse proxy backend

nixos-25.11 0.16
- nixos-25.11-small 0.16
- nixpkgs-25.11-darwin 0.16

pkgs.perl540Packages.PlackMiddlewareReverseProxy

Supports app to run as a reverse proxy backend

nixos-25.11 0.16
- nixos-25.11-small 0.16
- nixpkgs-25.11-darwin 0.16

pkgs.perl5Packages.PlackMiddlewareMethodOverride

Override REST methods to Plack apps via POST

nixos-unstable 0.20
- nixpkgs-unstable 0.20
- nixos-unstable-small 0.20

pkgs.perl538Packages.PlackMiddlewareConsoleLogger

Write logs to Firebug or Webkit Inspector

nixos-25.11 0.05
- nixos-25.11-small 0.05
- nixpkgs-25.11-darwin 0.05

pkgs.perl540Packages.PlackMiddlewareConsoleLogger

Write logs to Firebug or Webkit Inspector

nixos-25.11 0.05
- nixos-25.11-small 0.05
- nixpkgs-25.11-darwin 0.05

pkgs.perl538Packages.PlackMiddlewareMethodOverride

Override REST methods to Plack apps via POST

nixos-25.11 0.20
- nixos-25.11-small 0.20
- nixpkgs-25.11-darwin 0.20

pkgs.perl540Packages.PlackMiddlewareMethodOverride

Override REST methods to Plack apps via POST

nixos-25.11 0.20
- nixos-25.11-small 0.20
- nixpkgs-25.11-darwin 0.20

pkgs.perlPackages.PlackMiddlewareRemoveRedundantBody

Plack::Middleware which removes body for HTTP response if it's not required

nixos-unstable 0.09
- nixpkgs-unstable 0.09
- nixos-unstable-small 0.09
nixos-25.11 0.09
- nixos-25.11-small 0.09
- nixpkgs-25.11-darwin 0.09

pkgs.perl5Packages.PlackMiddlewareRemoveRedundantBody

Plack::Middleware which removes body for HTTP response if it's not required

nixos-unstable 0.09
- nixpkgs-unstable 0.09
- nixos-unstable-small 0.09

pkgs.perl538Packages.PlackMiddlewareRemoveRedundantBody

Plack::Middleware which removes body for HTTP response if it's not required

nixos-25.11 0.09
- nixos-25.11-small 0.09
- nixpkgs-25.11-darwin 0.09

pkgs.perl540Packages.PlackMiddlewareRemoveRedundantBody

Plack::Middleware which removes body for HTTP response if it's not required

nixos-25.11 0.09
- nixos-25.11-small 0.09
- nixpkgs-25.11-darwin 0.09

pkgs.perlPackages.PlackMiddlewareFixMissingBodyInRedirect

Plack::Middleware which sets body for redirect response, if it's not already set

nixos-unstable 0.12
- nixpkgs-unstable 0.12
- nixos-unstable-small 0.12
nixos-25.11 0.12
- nixos-25.11-small 0.12
- nixpkgs-25.11-darwin 0.12

pkgs.perl5Packages.PlackMiddlewareFixMissingBodyInRedirect

Plack::Middleware which sets body for redirect response, if it's not already set

nixos-unstable 0.12
- nixpkgs-unstable 0.12
- nixos-unstable-small 0.12

pkgs.perl538Packages.PlackMiddlewareFixMissingBodyInRedirect

Plack::Middleware which sets body for redirect response, if it's not already set

nixos-25.11 0.12
- nixos-25.11-small 0.12
- nixpkgs-25.11-darwin 0.12

pkgs.perl540Packages.PlackMiddlewareFixMissingBodyInRedirect

Plack::Middleware which sets body for redirect response, if it's not already set

nixos-25.11 0.12
- nixos-25.11-small 0.12
- nixpkgs-25.11-darwin 0.12

Details of issue NIXPKGS-2026-1291

References

Affected products

Matching in nixpkgs

pkgs.perlPackages.Plack

pkgs.perl5Packages.Plack

pkgs.perl538Packages.Plack

pkgs.perl540Packages.Plack

pkgs.perlPackages.TaskPlack

pkgs.perl5Packages.TaskPlack

pkgs.perl538Packages.TaskPlack

pkgs.perl540Packages.TaskPlack

pkgs.perlPackages.PlackAppProxy

pkgs.perl5Packages.PlackAppProxy

pkgs.perl538Packages.PlackAppProxy

pkgs.perl540Packages.PlackAppProxy

pkgs.perlPackages.PlackMiddlewareDebug

pkgs.perl5Packages.PlackMiddlewareDebug

pkgs.perlPackages.PlackMiddlewareHeader

pkgs.perl5Packages.PlackMiddlewareHeader

pkgs.perlPackages.PlackMiddlewareSession

pkgs.perl538Packages.PlackMiddlewareDebug

pkgs.perl540Packages.PlackMiddlewareDebug

pkgs.perl5Packages.PlackMiddlewareSession

pkgs.perlPackages.PlackMiddlewareDeflater

pkgs.perlPackages.PlackTestExternalServer

pkgs.perl538Packages.PlackMiddlewareHeader

pkgs.perl540Packages.PlackMiddlewareHeader

pkgs.perl5Packages.PlackMiddlewareDeflater

pkgs.perl5Packages.PlackTestExternalServer

pkgs.perl538Packages.PlackMiddlewareSession

pkgs.perl540Packages.PlackMiddlewareSession

pkgs.perlPackages.PlackMiddlewareAuthDigest

pkgs.perl538Packages.PlackMiddlewareDeflater

pkgs.perl538Packages.PlackTestExternalServer

pkgs.perl540Packages.PlackMiddlewareDeflater

pkgs.perl540Packages.PlackTestExternalServer

pkgs.perl5Packages.PlackMiddlewareAuthDigest

pkgs.perlPackages.PlackMiddlewareReverseProxy

pkgs.perl538Packages.PlackMiddlewareAuthDigest

pkgs.perl540Packages.PlackMiddlewareAuthDigest

pkgs.perl5Packages.PlackMiddlewareReverseProxy

pkgs.perlPackages.PlackMiddlewareConsoleLogger

pkgs.perl5Packages.PlackMiddlewareConsoleLogger

pkgs.perlPackages.PlackMiddlewareMethodOverride

pkgs.perl538Packages.PlackMiddlewareReverseProxy

pkgs.perl540Packages.PlackMiddlewareReverseProxy

pkgs.perl5Packages.PlackMiddlewareMethodOverride

pkgs.perl538Packages.PlackMiddlewareConsoleLogger

pkgs.perl540Packages.PlackMiddlewareConsoleLogger

pkgs.perl538Packages.PlackMiddlewareMethodOverride

pkgs.perl540Packages.PlackMiddlewareMethodOverride

pkgs.perlPackages.PlackMiddlewareRemoveRedundantBody

pkgs.perl5Packages.PlackMiddlewareRemoveRedundantBody

pkgs.perl538Packages.PlackMiddlewareRemoveRedundantBody

pkgs.perl540Packages.PlackMiddlewareRemoveRedundantBody

pkgs.perlPackages.PlackMiddlewareFixMissingBodyInRedirect

pkgs.perl5Packages.PlackMiddlewareFixMissingBodyInRedirect

pkgs.perl538Packages.PlackMiddlewareFixMissingBodyInRedirect

pkgs.perl540Packages.PlackMiddlewareFixMissingBodyInRedirect