Description
Starlet versions through 0.31 for Perl allows HTTP Request Smuggling via Improper Header Precedence.

Starlet incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence.

An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy.
Published: 2026-05-03
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Starlet for Perl up to version 0.31 incorrectly prioritizes the Content-Length header over Transfer-Encoding: chunked when both are present in an HTTP request. This violates RFC 7230 section 3.3.3, where Transfer-Encoding must take precedence. Consequently, an attacker can craft requests that are interpreted differently by a front‑end reverse proxy and an upstream server, enabling malicious requests to be smuggled through the proxy. The vulnerability is a class‑404 CWE‑444 weakness in header handling and could allow the attacker to inject or modify traffic intended for a downstream service.

Affected Systems

The affected product is Starlet for Perl supplied by Kazuho. Versions through 0.31 are impacted. Users running Starlet 0.31 or earlier are susceptible; newer releases are not noted to be affected.

Risk and Exploitability

Because the flaw relies on standard HTTP header handling, the attack surface is significant for any deployment using Starlet behind a proxy that may send both headers. While no EPSS score is available and the issue is not listed in CISA KEV, the relative severity is high due to the potential to alter downstream requests. The attack vector is via an HTTP client that inserts both headers in a single request to the proxy. Effective exploitation requires the proxy to not properly enforce RFC rules, a condition likely present in default Starlet configurations.

Generated by OpenCVE AI on May 3, 2026 at 02:20 UTC.

Remediation

Vendor Workaround

Migrate to Starman 0.4018 or later which has fixed this issue or apply the patch.

OpenCVE Recommended Actions

  • Apply the upstream patch from commit a7d5dfd1862aafa43e5eaca0fdb6acf4cc15b2d0 provided by Kazuho
  • Migrate to Starman version 0.4018 or later where the header precedence bug is fixed
  • Ensure that any request forwarded to Starlet does not contain both Content-Length and Transfer-Encoding: chunked headers, or that proxies perform their own header validation

Generated by OpenCVE AI on May 3, 2026 at 02:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 03 May 2026 05:30:00 +0000

Type Values Removed Values Added
References

Sun, 03 May 2026 01:15:00 +0000

Type Values Removed Values Added
Description Starlet versions through 0.31 for Perl allows HTTP Request Smuggling via Improper Header Precedence. Starlet incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence. An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy.
Title Starlet versions through 0.31 for Perl allows HTTP Request Smuggling via Improper Header Precedence
Weaknesses CWE-444
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-05-03T03:04:55.098Z

Reserved: 2026-04-14T11:35:53.644Z

Link: CVE-2026-40561

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-03T01:15:58.390

Modified: 2026-05-03T05:15:58.487

Link: CVE-2026-40561

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-03T02:30:05Z

Weaknesses