Starlet for Perl up to version 0.31 incorrectly prioritizes the Content-Length header over Transfer-Encoding: chunked when both are present in an HTTP request. This violates RFC 7230 section 3.3.3, where Transfer-Encoding must take precedence. Consequently, an attacker can craft requests that are interpreted differently by a front‑end reverse proxy and an upstream server, enabling malicious requests to be smuggled through the proxy. The vulnerability is a class‑404 CWE‑444 weakness in header handling and could allow the attacker to inject or modify traffic intended for a downstream service.

The affected product is Starlet for Perl supplied by Kazuho. Versions through 0.31 are impacted. Users running Starlet 0.31 or earlier are susceptible; newer releases are not noted to be affected.

Because the flaw relies on standard HTTP header handling, the attack surface is significant for any deployment using Starlet behind a proxy that may send both headers. The EPSS score of < 1% indicates a low probability that this vulnerability will be exploited in the wild, and the issue is not listed in the CISA KEV catalog. While the CVSS score of 5.3 represents medium severity, the potential to alter downstream requests still poses a risk. The attack vector is via an HTTP client that inserts both headers in a single request to the proxy. Effective exploitation requires the proxy to not properly enforce RFC rules, a condition likely present in default Starlet configurations.