Starlet versions through 0.31 for Perl allows HTTP Request Smuggling via Improper Header Precedence.
Starlet incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence.
An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy.
Metrics
Affected Vendors & Products
No data.
No data.
No data.
OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.
| Vendors | Products |
|---|
References
History
Sun, 03 May 2026 05:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
Sun, 03 May 2026 01:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Starlet versions through 0.31 for Perl allows HTTP Request Smuggling via Improper Header Precedence. Starlet incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence. An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy. | |
| Title | Starlet versions through 0.31 for Perl allows HTTP Request Smuggling via Improper Header Precedence | |
| Weaknesses | CWE-444 | |
| References |
|
MITRE
Status: PUBLISHED
Assigner: CPANSec
Published:
Updated: 2026-05-03T03:04:55.098Z
Reserved: 2026-04-14T11:35:53.644Z
Link: CVE-2026-40561
Vulnrichment
No data.
NVD
Status : Received
Published: 2026-05-03T01:15:58.390
Modified: 2026-05-03T05:15:58.487
Link: CVE-2026-40561
Redhat
No data.
OpenCVE Enrichment
Updated: 2026-05-03T02:30:05Z