CVE-2026-40562
HTTP Request Smuggling in Gazelle for Perl
Publication date: 2026-05-06
Last updated on: 2026-05-06
Assigner: CPANSec
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-444 | The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Gazelle versions through 0.49 for Perl and involves HTTP Request Smuggling due to improper header precedence.
Gazelle incorrectly prioritizes the Content-Length header over the Transfer-Encoding: chunked header when both are present in an HTTP request. According to RFC 7230 section 3.3.3, Transfer-Encoding must take precedence.
An attacker can exploit this flaw to smuggle malicious HTTP requests through a front-end reverse proxy by sending crafted requests containing both headers, leading to inconsistent request parsing.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows HTTP request smuggling, which can lead to malicious requests bypassing security controls and potentially causing unauthorized actions or data manipulation.
Such unauthorized actions and data integrity issues could impact compliance with standards like GDPR and HIPAA, which require protection of data integrity and prevention of unauthorized access.
However, the provided information does not explicitly detail the direct effects on compliance with these regulations.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to bypass security controls by smuggling malicious HTTP requests through a front-end reverse proxy.
Such attacks can lead to unauthorized access, request hijacking, cache poisoning, or other malicious activities depending on the backend server's behavior.
Because the server misinterprets the boundaries of HTTP requests, it can cause inconsistent processing of requests, potentially exposing sensitive data or allowing execution of unintended commands.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves HTTP request smuggling by sending requests containing both Transfer-Encoding and Content-Length headers. Detection involves monitoring HTTP requests for the presence of both headers simultaneously, which is against RFC 7230 Β§3.3.3.
You can detect potentially malicious requests by capturing and inspecting HTTP traffic on your network or system using tools like tcpdump or Wireshark.
- Use tcpdump to capture HTTP traffic: tcpdump -i <interface> -A 'tcp port 80 or tcp port 443'
- Filter captured traffic for HTTP requests containing both Transfer-Encoding and Content-Length headers by searching the payload for these headers.
- Alternatively, use tools like grep or custom scripts on HTTP logs to identify requests with both headers.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation is to apply the patch that modifies the Gazelle Perl module to reject HTTP requests containing both Transfer-Encoding and Content-Length headers, enforcing the correct header precedence as per RFC 7230 Β§3.3.3.
If patching is not immediately possible, consider implementing filtering rules on your front-end reverse proxy or web server to block or reject HTTP requests that contain both headers simultaneously.
Additionally, monitor your HTTP traffic for suspicious requests with conflicting headers and block any identified malicious traffic.