Home

Description

Starlet versions through 0.31 for Perl allows HTTP Request Smuggling via Improper Header Precedence. Starlet incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence. An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy.

PUBLISHED Reserved 2026-04-14 | Published 2026-05-03 | Updated 2026-05-07 | Assigner CPANSec

Problem types

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Product status

Default status
unaffected

Any version
affected

Timeline

2019-11-19:Patch submitted to Starlet 0.31
2026-04-12:Issue identified by CPANSec
2026-04-28:Maintainer notified
2026-05-02:Determined that the issue was already public on GitHub
2026-05-06:Starlet 0.32 released with a fix

Credits

CPANSec finder

References

www.openwall.com/lists/oss-security/2026/05/03/1

datatracker.ietf.org/doc/html/rfc7230

github.com/...a7d5dfd1862aafa43e5eaca0fdb6acf4cc15b2d0.patch patch

metacpan.org/release/KAZUHO/Starlet-0.32/changes release-notes

cve.org (CVE-2026-40561)

nvd.nist.gov (CVE-2026-40561)

Download JSON