Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Gazelle versions through 0.49 for Perl allows HTTP Request Smuggling via Improper Header Precedence.
Gazelle incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence.
An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy.
AnalysisAI
HTTP Request Smuggling in Gazelle (Perl web server) versions through 0.49 enables attackers to smuggle malicious requests through reverse proxies by exploiting incorrect header precedence. Gazelle violates RFC 7230 by prioritizing Content-Length over Transfer-Encoding: chunked when both headers are present, allowing desynchronization between front-end proxies and the backend server. SSVC framework indicates the vulnerability is automatable with partial technical impact, while CVSS 7.5 reflects network-accessible unauthenticated exploitation with high integrity impact. A vendor patch is available via CPANSec.
Technical ContextAI
HTTP Request Smuggling (CWE-444) exploits discrepancies in how HTTP message boundaries are parsed by chained HTTP processors. RFC 7230 section 3.3.3 explicitly mandates that when both Transfer-Encoding and Content-Length headers are present, Transfer-Encoding must take precedence and Content-Length must be ignored. Gazelle, a high-performance preforking Plack handler written in Perl (CPE: cpe:2.3:a:kazeburo:gazelle), incorrectly reverses this precedence through version 0.49. This implementation flaw creates a desynchronization vector where a reverse proxy correctly honoring Transfer-Encoding will interpret request boundaries differently than Gazelle, which incorrectly honors Content-Length. Attackers can craft ambiguous requests where the front-end processes chunked encoding while Gazelle processes fixed-length content, causing the smuggled portion to be interpreted as the start of a subsequent request.
RemediationAI
Upgrade Gazelle to version 0.50 or later, which corrects the header precedence handling to comply with RFC 7230 section 3.3.3. The vendor patch is available from CPANSec at https://security.metacpan.org/patches/G/Gazelle/0.49/CVE-2026-40562-r1.patch for manual application to version 0.49 if immediate upgrade is not feasible. For environments unable to patch immediately, implement the following compensating controls at the reverse proxy layer: configure strict header normalization that strips Content-Length headers when Transfer-Encoding is present (most modern proxies support this via directives like nginx's proxy_request_buffering or HAProxy's http-buffer-request), or deploy Web Application Firewall rules to block requests containing both headers simultaneously (trade-off: may break legitimate clients if misconfigured, requires testing). Validate that front-end proxies are configured to reject ambiguous requests rather than forward them. Network segmentation limiting Gazelle exposure to trusted proxies only reduces but does not eliminate risk from compromised intermediate systems.
A cross-site scripting (XSS) vulnerability in the component /managers/enable_requests.php of Gazelle commit 63b3370 allo
A cross-site scripting (XSS) vulnerability in the component /login/disabled.php of Gazelle commit 63b3370 allows attacke
A cross-site scripting (XSS) vulnerability in the component /managers/multiple_freeleech.php of Gazelle commit 63b3370 a
A Cross-Site Scripting (XSS) was discovered in Gazelle before 2017-03-19. Rated medium severity (CVSS 6.1), this vulnera
Multiple Cross-Site Scripting (XSS) were discovered in Gazelle before 2017-03-19. Rated medium severity (CVSS 6.1), this
A Cross-Site Scripting (XSS) was discovered in Gazelle before 2017-03-19. Rated medium severity (CVSS 6.1), this vulnera
Multiple Cross-Site Scripting (XSS) were discovered in Gazelle before 2017-03-19. Rated medium severity (CVSS 6.1), this
Same weakness CWE-444 – HTTP Request/Response Smuggling
View allSame technique Request Smuggling
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27825
GHSA-mjw2-gf6p-382h