Skip to main content

Starlet EUVDEUVD-2026-26806

| CVE-2026-40561 MEDIUM
HTTP Request/Response Smuggling (CWE-444)
2026-05-03 CPANSec
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

7
Source Code Evidence Fetched
May 04, 2026 - 14:22 vuln.today
Analysis Generated
May 04, 2026 - 14:22 vuln.today
CVSS changed
May 04, 2026 - 14:22 NVD
5.3 (MEDIUM)
EUVD ID Assigned
May 03, 2026 - 01:15 euvd
EUVD-2026-26806
Analysis Generated
May 03, 2026 - 01:15 vuln.today
Patch released
May 03, 2026 - 01:15 nvd
Patch available
CVE Published
May 03, 2026 - 00:57 nvd
MEDIUM 5.3

DescriptionCVE.org

Starlet versions through 0.31 for Perl allows HTTP Request Smuggling via Improper Header Precedence.

Starlet incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence.

An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy.

AnalysisAI

HTTP request smuggling in Starlet through version 0.31 allows remote unauthenticated attackers to bypass header validation by exploiting incorrect precedence of Content-Length over Transfer-Encoding headers. The vulnerability violates RFC 7230 section 3.3.3, which mandates that Transfer-Encoding must take precedence when both headers are present. An attacker positioned between a client and Starlet-based backend can craft malicious requests that are interpreted differently by a front-end reverse proxy and the Starlet server, enabling request smuggling attacks with integrity impact.

Technical ContextAI

Starlet is a high-performance Perl PSGI application server. The vulnerability resides in the HTTP request parsing logic (lib/Starlet/Server.pm, handle_connection subroutine) where the server incorrectly prioritizes the Content-Length header when both Content-Length and Transfer-Encoding: chunked are present in the same HTTP request. RFC 7230 section 3.3.3 explicitly requires that Transfer-Encoding takes precedence, and the presence of both headers together signals a potential request smuggling or response splitting attack. The root cause is CWE-444 (Inconsistent Interpretation of HTTP Requests by HTTP Entities), a well-known class enabling cache poisoning, session fixation, and request smuggling attacks in proxy chains. The CPE affected is cpe:2.3:a:kazuho:starlet:*:*:*:*:*:*:*:* for all versions through 0.31.

RemediationAI

Upgrade Starlet to a version released after the patch commit a7d5dfd1862aafa43e5eaca0fdb6acf4cc15b2d0 (exact patched version number not specified in provided data, consult CPAN or vendor release notes). The upstream fix adds validation to reject HTTP requests containing both Transfer-Encoding and Content-Length headers, returning a 400 Bad Request response as per RFC 7230 guidance. No workarounds are documented for unpatched versions, but deployment-level mitigation can include placing a RFC 7230-compliant reverse proxy (such as nginx or Apache with appropriate configuration) in front of Starlet to normalize or reject malformed requests before they reach the backend. If immediate patching is not feasible, restrict Starlet to trusted networks and avoid exposing it directly to the internet; however, this does not eliminate risk in multi-tier proxy architectures. Refer to https://github.com/kazuho/Starlet for release notes and https://vuldb.com/vuln/360875 for additional advisory details.

Share

EUVD-2026-26806 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy