UNKNOWN Severity
CVE-2026-40561
Last updated May 03, 2026 · Published May 03, 2026
Description
Starlet versions through 0.31 for Perl allows HTTP Request Smuggling via Improper Header Precedence. Starlet incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence. An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy.
Affected products
1 listed- KAZUHO:Starlet
Mappings
CWE
CWE-444
CAPEC
CAPEC-33
Related
Training
- WAF, CDN and Edge SecurityRate limiting, bot mitigation, and the security controls at the perimeter.
- Input Validation and Schema EnforcementValidate early, validate strictly - schemas, allowlists, and type-safe boundaries.
- Secure Defaults in Modern FrameworksHow Rails, Next.js, Django, and Spring protect you - and where they don't.
CVE® content © MITRE Corporation. Licensed under the CVE Terms of Use. Terms