Cpansec

**Name of the Vulnerable Software and Affected Versions** Gazelle versions prior to 0.50 **Description** Improper header precedence allows HTTP Request Smuggling. The software incorrectly prioritizes the `Content-Length` header over `Transfer-Encoding: chunked` when both are present in an HTTP request, violating RFC 7230 3.3.3. This allows an attacker to smuggle malicious HTTP requests through a front-end reverse proxy. **Recommendations** Update to a version later than 0.49.

**Name of the Vulnerable Software and Affected Versions** Starlet versions prior to 0.32 **Description** Starlet for Perl allows HTTP Request Smuggling due to improper header precedence. The software incorrectly prioritizes the `Content-Length` header over `Transfer-Encoding: chunked` when both are present in an HTTP request, which contradicts RFC 7230 3.3.3. This behavior allows an attacker to smuggle malicious HTTP requests through a front-end reverse proxy. **Recommendations** Update to version 0.32 or later.

**Name of the Vulnerable Software and Affected Versions** Plack::Middleware::XSendfile versions prior to 1.0053 **Description** Plack::Middleware::XSendfile allows the variation setting (sendfile type) to be controlled by the client via the `X-Sendfile-Type` header if it is not defined in the middleware constructor or the Plack environment. A malicious client can set the `X-Sendfile-Type` header to "X-Accel-Redirect" for services behind nginx reverse proxies and use the `X-Accel-Mapping` header to map the path to an arbitrary file on the server, enabling client-controlled path rewriting. **Recommendations** Update to a version later than 1.0053, as Plack::Middleware::XSendfile is deprecated since version 1.0053 and will be removed from future releases of Plack.

**Name of the Vulnerable Software and Affected Versions** Starman versions prior to 0.4018 **Description** Improper header precedence allows HTTP Request Smuggling. The software incorrectly prioritizes the `Content-Length` header over `Transfer-Encoding: chunked` when both are present in an HTTP request, which contradicts RFC 7230 3.3.3. This can be exploited to smuggle malicious HTTP requests through a front-end reverse proxy. **Recommendations** Update to version 0.4018 or later.

**Name of the Vulnerable Software and Affected Versions** Text::Minify::XS versions 0.3.0 through 0.7.7 **Description** A heap overflow occurs when processing certain malformed UTF-8 characters. The `minify()` function and its alias `minify utf8()` mishandle these characters, which leads to heap corruption. **Recommendations** Update to version 0.7.8 or later.