Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
7DescriptionCVE.org
Starlet versions through 0.31 for Perl allows HTTP Request Smuggling via Improper Header Precedence.
Starlet incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence.
An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy.
AnalysisAI
HTTP request smuggling in Starlet through version 0.31 allows remote unauthenticated attackers to bypass header validation by exploiting incorrect precedence of Content-Length over Transfer-Encoding headers. The vulnerability violates RFC 7230 section 3.3.3, which mandates that Transfer-Encoding must take precedence when both headers are present. An attacker positioned between a client and Starlet-based backend can craft malicious requests that are interpreted differently by a front-end reverse proxy and the Starlet server, enabling request smuggling attacks with integrity impact.
Technical ContextAI
Starlet is a high-performance Perl PSGI application server. The vulnerability resides in the HTTP request parsing logic (lib/Starlet/Server.pm, handle_connection subroutine) where the server incorrectly prioritizes the Content-Length header when both Content-Length and Transfer-Encoding: chunked are present in the same HTTP request. RFC 7230 section 3.3.3 explicitly requires that Transfer-Encoding takes precedence, and the presence of both headers together signals a potential request smuggling or response splitting attack. The root cause is CWE-444 (Inconsistent Interpretation of HTTP Requests by HTTP Entities), a well-known class enabling cache poisoning, session fixation, and request smuggling attacks in proxy chains. The CPE affected is cpe:2.3:a:kazuho:starlet:*:*:*:*:*:*:*:* for all versions through 0.31.
RemediationAI
Upgrade Starlet to a version released after the patch commit a7d5dfd1862aafa43e5eaca0fdb6acf4cc15b2d0 (exact patched version number not specified in provided data, consult CPAN or vendor release notes). The upstream fix adds validation to reject HTTP requests containing both Transfer-Encoding and Content-Length headers, returning a 400 Bad Request response as per RFC 7230 guidance. No workarounds are documented for unpatched versions, but deployment-level mitigation can include placing a RFC 7230-compliant reverse proxy (such as nginx or Apache with appropriate configuration) in front of Starlet to normalize or reject malformed requests before they reach the backend. If immediate patching is not feasible, restrict Starlet to trusted networks and avoid exposing it directly to the internet; however, this does not eliminate risk in multi-tier proxy architectures. Refer to https://github.com/kazuho/Starlet for release notes and https://vuldb.com/vuln/360875 for additional advisory details.
Same weakness CWE-444 – HTTP Request/Response Smuggling
View allSame technique Request Smuggling
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26806