/ 
Plack-1.0053
⭐ Starred 488 / HTTP::Server::PSGI
Security Advisories (1)
CVE-2026-7381 (2026-04-29)

Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting. Plack::Middleware::XSendfile allows the variation setting (sendfile type) to be set by the client via the X-Sendfile-Type header, if it is not considered in the middleware constructor or the Plack environment. A malicious client can set the X-Sendfile-Type header to "X-Accel-Redirect" to services running behind nginx reverse proxies, and then set the X-Accel-Mapping to map the path to an arbitrary file on the server. Since 1.0053, Plack::Middleware::XSendfile is deprecated and will be removed from future releases of Plack. This is similar to CVE-2025-61780 for Rack::Sendfile, although Plack::Middleware::XSendfile has some mitigations that disallow regular expressions to be used in the mapping, and only apply the mapping for the "X-Accel-Redirect" type.

NAME

HTTP::Server::PSGI - Standalone PSGI compatible HTTP server

SYNOPSIS

use HTTP::Server::PSGI;

my $server = HTTP::Server::PSGI->new(
    host => "127.0.0.1",
    port => 9091,
    timeout => 120,
);

$server->run($app);

DESCRIPTION

HTTP::Server::PSGI is a standalone, single-process and PSGI compatible HTTP server implementations.

This server should be great for the development and testing, but might not be suitable for a production use.

Some features in HTTP/1.1, notably chunked requests, responses and pipeline requests are NOT supported, and it also does not support HTTP/0.9.

See Starman or uWSGI server if you want HTTP/1.1 and other features ready for a production use.

PREFORKING

HTTP::Server::PSGI does NOT support preforking. See Starman or Starlet if you want a multi-process prefork web servers.

HARAKIRI SUPPORT

This web server supports `psgix.harakiri` extension defined in the PSGI::Extensions.

This application is a non-forking single process web server (i.e. `psgi.multiprocess` is false), and if your application commits harakiri, the entire web server stops too. In case this behavior is not what you want, be sure to check `psgi.multiprocess` as well to enable harakiri only in the preforking servers such as Starman.

On the other hand, this behavior might be handy if you want to embed this module in your application and serve HTTP requests for only short period of time, then go back to your main program.

AUTHOR

Kazuho Oku

Tatsuhiko Miyagawa

SEE ALSO

Plack::Handler::Standalone Starman Starlet