CVE-2026-40560
HTTP Request Smuggling in Starman <0.4018 via Header Precedence
Publication date: 2026-04-29
Last updated on: 2026-05-06
Assigner: CPANSec
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| miyagawa | starman | to 0.4018 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-444 | The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in Starman versions before 0.4018 for Perl, where the server incorrectly prioritizes the HTTP header "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in a request.
According to the HTTP standard RFC 7230 Β§3.3.3, the "Transfer-Encoding" header must take precedence over "Content-Length". Starman's improper handling allows an attacker to exploit this by sending specially crafted HTTP requests with both headers, enabling HTTP request smuggling.
HTTP request smuggling is a technique where an attacker sends ambiguous HTTP requests that can be interpreted differently by front-end proxies and back-end servers, potentially allowing malicious requests to bypass security controls.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to smuggle malicious HTTP requests through a front-end reverse proxy to the Starman server.
By exploiting the improper header precedence, attackers can bypass security controls, inject unauthorized requests, or manipulate the way requests are processed, potentially leading to unauthorized access, data leakage, or other security breaches.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves improper handling of HTTP headers where Starman prioritizes Content-Length over Transfer-Encoding: chunked, enabling HTTP request smuggling.
To detect this vulnerability on your network or system, you can monitor HTTP requests that contain both Transfer-Encoding: chunked and Content-Length headers simultaneously.
A practical approach is to send crafted HTTP requests with conflicting Transfer-Encoding and Content-Length headers to the Starman server and observe the response behavior.
- Use tools like curl or netcat to manually send such requests. For example, using netcat:
- echo -e "POST / HTTP/1.1\r\nHost: vulnerable-server\r\nTransfer-Encoding: chunked\r\nContent-Length: 5\r\n\r\n5\r\nHello\r\n0\r\n\r\n" | nc vulnerable-server 80
If the server processes the chunked body correctly and ignores the misleading Content-Length, it is patched; if it processes Content-Length first, it is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update Starman to version 0.4018 or later, where the header precedence logic has been corrected.
The patch ensures that Transfer-Encoding: chunked takes precedence over Content-Length, preventing HTTP request smuggling attacks.
If updating is not immediately possible, consider placing a front-end reverse proxy or web application firewall that correctly enforces RFC 7230 Β§3.3.3 header precedence to block suspicious requests.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows HTTP request smuggling by improperly prioritizing the Content-Length header over the Transfer-Encoding header, which can be exploited by attackers to send malicious HTTP requests through front-end reverse proxies.
Such an attack could potentially lead to unauthorized access, data manipulation, or data leakage, which may impact the confidentiality and integrity of sensitive information.
Therefore, if exploited, this vulnerability could hinder compliance with standards and regulations like GDPR and HIPAA that require protection of personal and sensitive data against unauthorized access and breaches.
Can you explain this vulnerability to me?
CVE-2026-40560 is a vulnerability in Starman, a Perl web server, affecting versions before 0.4018. The issue arises because Starman incorrectly prioritizes the "Content-Length" HTTP header over the "Transfer-Encoding: chunked" header when both are present in an HTTP request.
According to RFC 7230 section 3.3.3, the "Transfer-Encoding" header must take precedence over "Content-Length." Starman's improper handling allows an attacker to exploit this discrepancy to perform HTTP Request Smuggling attacks.
In such an attack, malicious HTTP requests can be smuggled through front-end reverse proxies by exploiting inconsistent interpretation of these headers, potentially bypassing security controls.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to perform HTTP Request Smuggling attacks by sending crafted HTTP requests that exploit the incorrect header precedence in Starman.
Such attacks can bypass front-end reverse proxies, potentially allowing attackers to bypass security controls, inject malicious requests, or interfere with the normal processing of HTTP traffic.
The CVSS v3.1 base score of 7.5 indicates a high severity impact, with the vulnerability allowing remote attackers to cause a confidentiality impact without requiring privileges or user interaction.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves HTTP request smuggling due to improper handling of conflicting HTTP headers "Content-Length" and "Transfer-Encoding: chunked". Detection can involve monitoring HTTP requests for the presence of both headers simultaneously, which is unusual and indicative of an attempt to exploit this flaw.
One approach is to capture and analyze HTTP traffic to identify requests containing both headers. For example, using tools like tcpdump or Wireshark to filter HTTP requests with both headers present.
- Use tcpdump to capture HTTP traffic on port 80 or 443: tcpdump -i <interface> -A 'tcp port 80 or tcp port 443'
- Use grep or similar tools to search captured traffic for requests containing both "Content-Length" and "Transfer-Encoding: chunked" headers.
- Alternatively, use specialized HTTP proxy or web application firewall logs to detect suspicious requests with conflicting headers.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Starman to version 0.4018 or later, where the vulnerability has been fixed by correcting the header precedence logic to comply with RFC 7230 Β§3.3.3.
Until the upgrade can be applied, consider implementing protective measures such as configuring front-end reverse proxies or web application firewalls to reject HTTP requests containing both "Content-Length" and "Transfer-Encoding: chunked" headers.
Monitoring and blocking suspicious HTTP requests that attempt to exploit this header precedence issue can reduce the risk of HTTP request smuggling attacks.