Login Sign Up

CVE-2023-31486

8.1 HIGH

📋 TL;DR

HTTP::Tiny versions before 0.083 have an insecure default TLS configuration that does not verify SSL/TLS certificates by default, requiring users to explicitly opt-in for verification. This vulnerability allows man-in-the-middle attacks where attackers can intercept and manipulate HTTPS traffic. It affects Perl applications using HTTP::Tiny for HTTPS connections, including many CPAN modules and systems with Perl 5.13.9+.

💻 Affected Systems

Products:
  • HTTP::Tiny (Perl module)
  • Perl core (5.13.9+)
  • Various CPAN modules using HTTP::Tiny
Versions: HTTP::Tiny < 0.083, Perl 5.13.9+ with vulnerable HTTP::Tiny versions
Operating Systems: All operating systems running affected Perl/HTTP::Tiny versions
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability exists in the default configuration - certificate verification is disabled by default and must be explicitly enabled by users.

📦 What is this software?

\ by Http\

View all CVEs affecting \ →

Perl by Perl

View all CVEs affecting Perl →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers can perform full man-in-the-middle attacks, intercepting and modifying sensitive data (credentials, tokens, API calls) transmitted over HTTPS, potentially leading to data breaches, account compromise, or system takeover.

🟠

Likely Case

Attackers on the same network can intercept HTTPS traffic to steal session cookies, API keys, or other sensitive information transmitted by vulnerable applications.

🟢

If Mitigated

With proper certificate verification enabled, HTTPS connections are secure and resistant to man-in-the-middle attacks.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires network access to intercept traffic. Proof-of-concept code is publicly available demonstrating man-in-the-middle attacks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: HTTP::Tiny 0.083+

Vendor Advisory: https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/

Restart Required: Yes

Instructions:

1. Update HTTP::Tiny to version 0.083 or later using CPAN: 'cpan HTTP::Tiny' 2. For Perl core installations, update Perl or apply the HTTP::Tiny patch 3. Restart affected Perl applications/services

🔧 Temporary Workarounds

Enable certificate verification in code

all

Explicitly enable SSL certificate verification in HTTP::Tiny calls

my $http = HTTP::Tiny->new(verify_SSL => 1);

Set environment variable

linux

Force certificate verification via PERL_LWP_SSL_VERIFY_HOSTNAME environment variable

export PERL_LWP_SSL_VERIFY_HOSTNAME=1

🧯 If You Can't Patch

  • Implement network-level controls to prevent man-in-the-middle attacks (VPNs, network segmentation)
  • Monitor for unusual outbound HTTPS connections and certificate validation failures

🔍 How to Verify

Check if Vulnerable:

Check HTTP::Tiny version: 'perl -MHTTP::Tiny -e "print HTTP::Tiny->VERSION"' - if version < 0.083, vulnerable

Check Version:

perl -MHTTP::Tiny -e "print HTTP::Tiny->VERSION"

Verify Fix Applied:

Verify version is 0.083+: 'perl -MHTTP::Tiny -e "print HTTP::Tiny->VERSION"' should show 0.083 or higher

📡 Detection & Monitoring

Log Indicators:

  • HTTPS connection failures due to certificate validation
  • Unusual outbound HTTPS connections from Perl processes

Network Indicators:

  • Unencrypted or suspicious HTTPS traffic from Perl applications
  • Certificate validation failures in network logs

SIEM Query:

process.name:perl AND network.protocol:https AND (event.outcome:failure OR certificate.validation:failed)

📊 Metadata

CVE ID: CVE-2023-31486
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-295
Published: April 29, 2023
Last Updated: January 30, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-31486, you might also want to check these:

CVE-2025-68121 10.0

This vulnerability in Go's crypto/tls package allows TLS session resumption to succeed when it shoul...

Same vulnerability type (CWE-295)
CVE-2024-5261 9.8

LibreOfficeKit mode in LibreOffice versions before 24.2.4 disables TLS certificate verification when...

Same vulnerability type (CWE-295)
CVE-2023-51837 9.8

MeshCentral 1.1.16 fails to properly validate SSL certificates when establishing connections, allowi...

Same vulnerability type (CWE-295)