Description
Gazelle versions through 0.49 for Perl allows HTTP Request Smuggling via Improper Header Precedence.

Gazelle incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence.

An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy.
Published: 2026-05-06
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Gazelle versions through 0.49 incorrectly prioritize Content‑Length over Transfer‑Encoding: chunked when both headers are present, violating RFC 7230 §3.3.3 (CWE‑444: Improper Header Precedence). This flaw allows an attacker to smuggle additional HTTP requests through a front‑end reverse proxy, potentially enabling injection of arbitrary requests, bypass of filters, or exploitation of downstream services.

Affected Systems

The vulnerability affects Kazeburo’s Gazelle web server versions up to and including 0.49. The flaw is fixed in later releases of Starman (0.4018 or newer) and can also be remedied by applying the available patch from the Perl CPAN repository.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, and no EPSS score is published. The flaw enables hidden request smuggling: an attacker with access to the front‑end proxy could inject malicious traffic without being detected. The issue is not listed in CISA’s KEV catalog, but the potential impact on confidentiality, integrity, and availability of downstream systems makes it a high‑risk vulnerability. Exploitation does not require privileged credentials and can be performed remotely by sending crafted HTTP requests that contain both headers.

Generated by OpenCVE AI on May 6, 2026 at 16:31 UTC.

Remediation

Vendor Solution

Upgrade to Gazelle 0.50 or later.

Vendor Workaround

Migrate to Starman version 0.4018 or newer which has fixed the issue. Or apply the patch.

OpenCVE Recommended Actions

  • Apply the official patch to Gazelle version 0.49 (or later) available at https://security.metacpan.org/patches/G/Gazelle/0.49/CVE-2026-40562-r1.patch
  • Migrate your application to use Starman version 0.4018 or newer, which includes the header precedence fix
  • Verify that Transfer‑Encoding headers are processed before Content‑Length by performing controlled tests against your proxy, ensuring that smuggled requests are no longer accepted

Generated by OpenCVE AI on May 6, 2026 at 16:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:kazeburo:gazelle:*:*:*:*:*:perl:*:*

Thu, 07 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Kazeburo
Kazeburo gazelle
Vendors & Products Kazeburo
Kazeburo gazelle

Thu, 07 May 2026 17:00:00 +0000

Type Values Removed Values Added
References

Wed, 06 May 2026 17:30:00 +0000

Type Values Removed Values Added
References

Wed, 06 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 13:00:00 +0000

Type Values Removed Values Added
Description Gazelle versions through 0.49 for Perl allows HTTP Request Smuggling via Improper Header Precedence. Gazelle incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence. An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy.
Title Gazelle versions through 0.49 for Perl allows HTTP Request Smuggling via Improper Header Precedence
Weaknesses CWE-444
References

Subscriptions

Kazeburo Gazelle
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-05-07T16:13:49.501Z

Reserved: 2026-04-14T11:35:53.644Z

Link: CVE-2026-40562

cve-icon Vulnrichment

Updated: 2026-05-06T16:32:45.619Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T13:16:09.110

Modified: 2026-05-11T15:04:24.637

Link: CVE-2026-40562

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T21:25:39Z

Weaknesses