HIGHCVE-2026-40560Published 2026-04-28Modified 2026-04-29CNA CPANSec

CVE-2026-40560: Starman versions before 0.4018 for Perl allows HTTP Request Smuggling via Improper Header Precedence

Starman versions before 0.4018 for Perl allows HTTP Request Smuggling via Improper Header Precedence. Starman incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence. An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: 0.4018
Affected Products: 1

Fix available

0.4018

Patch commits

github.com

Affected packages

MIYAGAWA / Starman
< 0.4018 (from 0)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

github.com
metacpan.org
datatracker.ietf.org

Metrics

Fix available