CVE-2026-40561

NameCVE-2026-40561
DescriptionStarlet versions through 0.31 for Perl allows HTTP Request Smuggling via Improper Header Precedence. Starlet incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence. An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1135584

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
starlet (PTS)bullseye0.31-1.1vulnerable
forky, sid, bookworm, trixie0.31-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
starletsource(unstable)(unfixed)1135584

Notes

https://lists.security.metacpan.org/cve-announce/msg/39593408/
Fixed by: https://github.com/kazuho/Starlet/commit/a7d5dfd1862aafa43e5eaca0fdb6acf4cc15b2d0
Search for package or bug name: Reporting problems