HTTP Request Smuggling Vulnerability in Starlet Perl Server
CVE-2026-40561

Currently unrated

Key Information:

Vendor

Kazuho

Status
Starlet
Vendor
CVE Published:
3 May 2026

What is CVE-2026-40561?

The Starlet Perl server versions up to 0.31 exhibit a vulnerability allowing HTTP Request Smuggling due to improper header precedence. This occurs when both 'Content-Length' and 'Transfer-Encoding: chunked' headers are present. Following RFC 7230 section 3.3.3, 'Transfer-Encoding' should take precedence over 'Content-Length.' An attacker can exploit this flaw to implement malicious HTTP requests, particularly through front-end reverse proxy servers, potentially compromising the integrity and security of web applications.

Affected Version(s)

Starlet 0 <= 0.31

References

https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.3
https://github.com/kazuho/Starlet/commit/a7d5dfd1862aafa4...
patch

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

CPANSec
.