Search criteria
1 vulnerability by kazuho
CVE-2026-40561 (GCVE-0-2026-40561)
Vulnerability from cvelistv5 – Published: 2026-05-03 00:57 – Updated: 2026-05-07 16:45
VLAI
Title
Starlet versions through 0.31 for Perl allows HTTP Request Smuggling via Improper Header Precedence
Summary
Starlet versions through 0.31 for Perl allows HTTP Request Smuggling via Improper Header Precedence.
Starlet incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence.
An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Assigner
References
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-05-03T03:04:55.098Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/03/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-40561",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-04T13:54:42.679845Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T13:54:47.941Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Starlet",
"product": "Starlet",
"programFiles": [
"lib/Starlet/Server.pm"
],
"programRoutines": [
{
"name": "Starlet::Server::handle_connection"
}
],
"repo": "https://github.com/kazuho/Starlet",
"vendor": "KAZUHO",
"versions": [
{
"lessThanOrEqual": "0.31",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "CPANSec"
}
],
"descriptions": [
{
"lang": "en",
"value": "Starlet versions through 0.31 for Perl allows HTTP Request Smuggling via Improper Header Precedence.\n\nStarlet incorrectly prioritizes \"Content-Length\" over \"Transfer-Encoding: chunked\" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence.\n\nAn attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy."
}
],
"impacts": [
{
"capecId": "CAPEC-33",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-33 HTTP Request Smuggling"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-444",
"description": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T16:45:01.655Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"url": "https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.3"
},
{
"tags": [
"patch"
],
"url": "https://github.com/kazuho/Starlet/commit/a7d5dfd1862aafa43e5eaca0fdb6acf4cc15b2d0.patch"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/KAZUHO/Starlet-0.32/changes"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to Starlet 0.32 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2019-11-19T00:00:00.000Z",
"value": "Patch submitted to Starlet 0.31"
},
{
"lang": "en",
"time": "2026-04-12T00:00:00.000Z",
"value": "Issue identified by CPANSec"
},
{
"lang": "en",
"time": "2026-04-28T00:00:00.000Z",
"value": "Maintainer notified"
},
{
"lang": "en",
"time": "2026-05-02T00:00:00.000Z",
"value": "Determined that the issue was already public on GitHub"
},
{
"lang": "en",
"time": "2026-05-06T00:00:00.000Z",
"value": "Starlet 0.32 released with a fix"
}
],
"title": "Starlet versions through 0.31 for Perl allows HTTP Request Smuggling via Improper Header Precedence",
"workarounds": [
{
"lang": "en",
"value": "Migrate to Starman 0.4018 or later which has fixed this issue or apply the patch."
}
],
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-40561",
"datePublished": "2026-05-03T00:57:31.519Z",
"dateReserved": "2026-04-14T11:35:53.644Z",
"dateUpdated": "2026-05-07T16:45:01.655Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}