Description
Starman versions before 0.4018 for Perl allows HTTP Request Smuggling via Improper Header Precedence.

Starman incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence.

An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy.
Published: 2026-04-28
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Starman versions before 0.4018 implement header parsing that incorrectly prioritizes the "Content-Length" header over "Transfer-Encoding: chunked" when both are present. According to RFC 7230, the Transfer-Encoding header must take precedence. Because of this improper precedence, an attacker can craft requests containing both headers and mislead Starman into interpreting the payload size incorrectly. This flaw allows an attacker to smuggle malicious HTTP requests through a front‑end reverse proxy. The CVE statement does not specify downstream effects; based on the description, it is inferred that the smuggled requests could interfere with or manipulate downstream services, but these specific actions are not confirmed in the provided data.

Affected Systems

The affected product is Starman for Perl, maintained by MIYAGAWA. All versions preceding 0.4018 are vulnerable. The remedy is to upgrade to Starman 0.4018 or later.

Risk and Exploitability

The attack requires an attacker to send crafted HTTP requests to a server running the vulnerable Starman behind a reverse proxy that forwards requests. Because this attack vector depends on the presence of the proxy and the inclusion of both headers, it is not a generic cross‑platform flaw. The EPSS score is < 1%, indicating a low likelihood of exploitation, while the CVSS score of 7.5 indicates moderate to high impact. The vulnerability is not listed in KEV.

Generated by OpenCVE AI on April 29, 2026 at 21:30 UTC.

Remediation

Vendor Solution

Upgrade to version 0.4018

OpenCVE Recommended Actions

  • Upgrade Starman to version 0.4018 or newer
  • Configure the reverse proxy to reject requests that contain both Content‑Length and Transfer‑Encoding headers
  • Verify that incoming requests are validated or sanitized for header consistency before forwarding

Generated by OpenCVE AI on April 29, 2026 at 21:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:miyagawa:starman:*:*:*:*:*:perl:*:*

Wed, 29 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Miyagawa
Miyagawa starman
Vendors & Products Miyagawa
Miyagawa starman

Wed, 29 Apr 2026 04:30:00 +0000

Type Values Removed Values Added
References

Wed, 29 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Starman versions before 0.4018 for Perl allows HTTP Request Smuggling via Improper Header Precedence. Starman incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence. An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy.
Title Starman versions before 0.4018 for Perl allows HTTP Request Smuggling via Improper Header Precedence
Weaknesses CWE-444
References

Subscriptions

Miyagawa Starman
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-04-29T19:06:02.932Z

Reserved: 2026-04-14T11:35:53.644Z

Link: CVE-2026-40560

cve-icon Vulnrichment

Updated: 2026-04-29T03:04:48.511Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-29T00:16:03.927

Modified: 2026-05-06T16:35:19.297

Link: CVE-2026-40560

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T21:45:20Z

Weaknesses