CVE-2026-40560

N/A Unknown

Published: April 29, 2026 Modified: April 29, 2026

Description

Starman versions before 0.4018 for Perl allows HTTP Request Smuggling via Improper Header Precedence. Starman incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence. An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.3

Source: 9b29abf9-4ab0-4765-b253-1875cd9b441e

https://github.com/miyagawa/Starman/commit/ced205f0805027e9d9c0731f8c40b104220604ed.patch

Source: 9b29abf9-4ab0-4765-b253-1875cd9b441e

https://metacpan.org/release/MIYAGAWA/Starman-0.4018/changes

Source: 9b29abf9-4ab0-4765-b253-1875cd9b441e

http://www.openwall.com/lists/oss-security/2026/04/29/1

Source: af854a3a-2127-422b-91ae-364da2661108

4 reference(s) from NVD

Quick Stats

CVSS v3 Score

N/A / 10.0

Exploitation Status

Not in CISA KEV

Weaknesses (CWE)

CWE-444

Related CVEs

CVE-2026-42615 7.2

CVE-2026-23773 4.3

CVE-2026-7363 N/A

CVE-2026-7361 N/A

CVE-2026-7360 N/A