PT-2026-36646 · Cpan · Starlet
Cpansec
·
Published
2026-05-03
·
Updated
2026-05-07
·
CVE-2026-40561
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Starlet versions prior to 0.32
Description
Starlet for Perl allows HTTP Request Smuggling due to improper header precedence. The software incorrectly prioritizes the
Content-Length header over Transfer-Encoding: chunked when both are present in an HTTP request, which contradicts RFC 7230 3.3.3. This behavior allows an attacker to smuggle malicious HTTP requests through a front-end reverse proxy.Recommendations
Update to version 0.32 or later.
Fix
HTTP Request/Response Smuggling
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Starlet