HTTP Request Smuggling Vulnerability in Starman by Perl
CVE-2026-40560

Currently unrated

Key Information:

Vendor

Miyagawa

Status
Starman
Vendor
CVE Published:
28 April 2026

What is CVE-2026-40560?

The Starman application, a popular Perl web server, suffers from a vulnerability that allows attackers to exploit improper header precedence. Specifically, it incorrectly prioritizes the 'Content-Length' header over the 'Transfer-Encoding: chunked' header in HTTP requests when both are supplied. According to RFC 7230, 'Transfer-Encoding' must take precedence in such cases. This flaw can be leveraged by attackers to execute HTTP request smuggling attacks through a front-end reverse proxy, potentially compromising the integrity of web requests and allowing for unauthorized actions.

Affected Version(s)

Starman 0 < 0.4018

References

https://github.com/miyagawa/Starman/commit/ced205f0805027...
patch
https://metacpan.org/release/MIYAGAWA/Starman-0.4018/changes
release-notes
https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.3

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

CPANSec
.