Home

Description

Gazelle versions through 0.49 for Perl allows HTTP Request Smuggling via Improper Header Precedence. Gazelle incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence. An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy.

PUBLISHED Reserved 2026-04-14 | Published 2026-05-06 | Updated 2026-05-07 | Assigner CPANSec

Problem types

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Product status

Default status
unaffected

Any version
affected

Timeline

2026-04-12:Issue identified by CPANSec
2026-04-29:Issue reported to software maintainer
2026-05-06:Issue disclosed by CPANSec
2026-05-07:Gazelle 0.50 released

Credits

CPANSec finder

References

www.openwall.com/lists/oss-security/2026/05/06/7

datatracker.ietf.org/doc/html/rfc7230

security.metacpan.org/...azelle/0.49/CVE-2026-40562-r1.patch patch

metacpan.org/release/KAZEBURO/Gazelle-0.50/changes release-notes

cve.org (CVE-2026-40562)

nvd.nist.gov (CVE-2026-40562)

Download JSON