CVE-2026-40560 (GCVE-0-2026-40560)

Vulnerability from cvelistv5 – Published: 2026-04-28 23:46 – Updated: 2026-04-29 13:30
VLAI?
Title
Starman versions before 0.4018 for Perl allows HTTP Request Smuggling via Improper Header Precedence
Summary
Starman versions before 0.4018 for Perl allows HTTP Request Smuggling via Improper Header Precedence. Starman incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence. An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy.
Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE
  • CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Assigner
References
Impacted products
Vendor Product Version
MIYAGAWA Starman Affected: 0 , < 0.4018 (custom)
Create a notification for this product.
Credits
CPANSec
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-04-29T03:04:48.511Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/29/1"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-40560",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-29T13:30:17.148319Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-29T13:30:33.198Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://cpan.org/modules",
          "defaultStatus": "unaffected",
          "packageName": "Starman",
          "product": "Starman",
          "programFiles": [
            "lib/Starman/Server.pm"
          ],
          "programRoutines": [
            {
              "name": "Starman::Server::_prepare_env"
            }
          ],
          "repo": "https://github.com/miyagawa/Starman",
          "vendor": "MIYAGAWA",
          "versions": [
            {
              "lessThan": "0.4018",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "CPANSec"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Starman versions before 0.4018 for Perl allows HTTP Request Smuggling via Improper Header Precedence.\n\nStarman incorrectly prioritizes \"Content-Length\" over \"Transfer-Encoding: chunked\" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence.\n\nAn attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-33",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-33 HTTP Request Smuggling"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-444",
              "description": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-28T23:52:21.284Z",
        "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "shortName": "CPANSec"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/miyagawa/Starman/commit/ced205f0805027e9d9c0731f8c40b104220604ed.patch"
        },
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://metacpan.org/release/MIYAGAWA/Starman-0.4018/changes"
        },
        {
          "url": "https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.3"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to version 0.4018"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2027-04-12T00:00:00.000Z",
          "value": "Issue identified by CPANSec"
        },
        {
          "lang": "en",
          "time": "2027-04-27T00:00:00.000Z",
          "value": "Issue reported to software maintainer"
        },
        {
          "lang": "en",
          "time": "2027-04-27T00:00:00.000Z",
          "value": "Fix committed to public Github repository"
        },
        {
          "lang": "en",
          "time": "2027-04-27T00:00:00.000Z",
          "value": "Updated version uploaded to CPAN"
        }
      ],
      "title": "Starman versions before 0.4018 for Perl allows HTTP Request Smuggling via Improper Header Precedence",
      "x_generator": {
        "engine": "cpansec-cna-tool 0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
    "assignerShortName": "CPANSec",
    "cveId": "CVE-2026-40560",
    "datePublished": "2026-04-28T23:46:37.780Z",
    "dateReserved": "2026-04-14T11:35:53.644Z",
    "dateUpdated": "2026-04-29T13:30:33.198Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-40560",
      "date": "2026-04-29",
      "epss": "0.00018",
      "percentile": "0.04644"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-40560\",\"sourceIdentifier\":\"9b29abf9-4ab0-4765-b253-1875cd9b441e\",\"published\":\"2026-04-29T00:16:03.927\",\"lastModified\":\"2026-04-29T04:16:41.503\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Starman versions before 0.4018 for Perl allows HTTP Request Smuggling via Improper Header Precedence.\\n\\nStarman incorrectly prioritizes \\\"Content-Length\\\" over \\\"Transfer-Encoding: chunked\\\" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence.\\n\\nAn attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy.\"}],\"metrics\":{},\"weaknesses\":[{\"source\":\"9b29abf9-4ab0-4765-b253-1875cd9b441e\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-444\"}]}],\"references\":[{\"url\":\"https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.3\",\"source\":\"9b29abf9-4ab0-4765-b253-1875cd9b441e\"},{\"url\":\"https://github.com/miyagawa/Starman/commit/ced205f0805027e9d9c0731f8c40b104220604ed.patch\",\"source\":\"9b29abf9-4ab0-4765-b253-1875cd9b441e\"},{\"url\":\"https://metacpan.org/release/MIYAGAWA/Starman-0.4018/changes\",\"source\":\"9b29abf9-4ab0-4765-b253-1875cd9b441e\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2026/04/29/1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2026/04/29/1\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2026-04-29T03:04:48.511Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-40560\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-29T13:30:17.148319Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-29T13:30:29.536Z\"}}], \"cna\": {\"title\": \"Starman versions before 0.4018 for Perl allows HTTP Request Smuggling via Improper Header Precedence\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"CPANSec\"}], \"impacts\": [{\"capecId\": \"CAPEC-33\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-33 HTTP Request Smuggling\"}]}], \"affected\": [{\"repo\": \"https://github.com/miyagawa/Starman\", \"vendor\": \"MIYAGAWA\", \"product\": \"Starman\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"0.4018\", \"versionType\": \"custom\"}], \"packageName\": \"Starman\", \"programFiles\": [\"lib/Starman/Server.pm\"], \"collectionURL\": \"https://cpan.org/modules\", \"defaultStatus\": \"unaffected\", \"programRoutines\": [{\"name\": \"Starman::Server::_prepare_env\"}]}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2027-04-12T00:00:00.000Z\", \"value\": \"Issue identified by CPANSec\"}, {\"lang\": \"en\", \"time\": \"2027-04-27T00:00:00.000Z\", \"value\": \"Issue reported to software maintainer\"}, {\"lang\": \"en\", \"time\": \"2027-04-27T00:00:00.000Z\", \"value\": \"Fix committed to public Github repository\"}, {\"lang\": \"en\", \"time\": \"2027-04-27T00:00:00.000Z\", \"value\": \"Updated version uploaded to CPAN\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Upgrade to version 0.4018\"}], \"references\": [{\"url\": \"https://github.com/miyagawa/Starman/commit/ced205f0805027e9d9c0731f8c40b104220604ed.patch\", \"tags\": [\"patch\"]}, {\"url\": \"https://metacpan.org/release/MIYAGAWA/Starman-0.4018/changes\", \"tags\": [\"release-notes\"]}, {\"url\": \"https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.3\"}], \"x_generator\": {\"engine\": \"cpansec-cna-tool 0.1\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Starman versions before 0.4018 for Perl allows HTTP Request Smuggling via Improper Header Precedence.\\n\\nStarman incorrectly prioritizes \\\"Content-Length\\\" over \\\"Transfer-Encoding: chunked\\\" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence.\\n\\nAn attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-444\", \"description\": \"CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"9b29abf9-4ab0-4765-b253-1875cd9b441e\", \"shortName\": \"CPANSec\", \"dateUpdated\": \"2026-04-28T23:52:21.284Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-40560\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-29T13:30:33.198Z\", \"dateReserved\": \"2026-04-14T11:35:53.644Z\", \"assignerOrgId\": \"9b29abf9-4ab0-4765-b253-1875cd9b441e\", \"datePublished\": \"2026-04-28T23:46:37.780Z\", \"assignerShortName\": \"CPANSec\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.