Skip to main content

Starlet

1 CVEs product

Monthly

CVE-2026-40561 MEDIUM PATCH This Month

HTTP request smuggling in Starlet through version 0.31 allows remote unauthenticated attackers to bypass header validation by exploiting incorrect precedence of Content-Length over Transfer-Encoding headers. The vulnerability violates RFC 7230 section 3.3.3, which mandates that Transfer-Encoding must take precedence when both headers are present. An attacker positioned between a client and Starlet-based backend can craft malicious requests that are interpreted differently by a front-end reverse proxy and the Starlet server, enabling request smuggling attacks with integrity impact.

Request Smuggling Information Disclosure Starlet
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

HTTP request smuggling in Starlet through version 0.31 allows remote unauthenticated attackers to bypass header validation by exploiting incorrect precedence of Content-Length over Transfer-Encoding headers. The vulnerability violates RFC 7230 section 3.3.3, which mandates that Transfer-Encoding must take precedence when both headers are present. An attacker positioned between a client and Starlet-based backend can craft malicious requests that are interpreted differently by a front-end reverse proxy and the Starlet server, enabling request smuggling attacks with integrity impact.

Request Smuggling Information Disclosure Starlet
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy