{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40560", "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "state": "PUBLISHED", "assignerShortName": "CPANSec", "dateReserved": "2026-04-14T11:35:53.644Z", "datePublished": "2026-04-28T23:46:37.780Z", "dateUpdated": "2026-04-29T03:04:48.511Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://cpan.org/modules", "defaultStatus": "unaffected", "packageName": "Starman", "product": "Starman", "programFiles": ["lib/Starman/Server.pm"], "programRoutines": [{"name": "Starman::Server::_prepare_env"}], "repo": "https://github.com/miyagawa/Starman", "vendor": "MIYAGAWA", "versions": [{"lessThan": "0.4018", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "CPANSec"}], "descriptions": [{"lang": "en", "value": "Starman versions before 0.4018 for Perl allows HTTP Request Smuggling via Improper Header Precedence.\n\nStarman incorrectly prioritizes \"Content-Length\" over \"Transfer-Encoding: chunked\" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence.\n\nAn attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy."}], "impacts": [{"capecId": "CAPEC-33", "descriptions": [{"lang": "en", "value": "CAPEC-33 HTTP Request Smuggling"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-444", "description": "CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "shortName": "CPANSec", "dateUpdated": "2026-04-28T23:52:21.284Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/miyagawa/Starman/commit/ced205f0805027e9d9c0731f8c40b104220604ed.patch"}, {"tags": ["release-notes"], "url": "https://metacpan.org/release/MIYAGAWA/Starman-0.4018/changes"}, {"url": "https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.3"}], "solutions": [{"lang": "en", "value": "Upgrade to version 0.4018"}], "source": {"discovery": "UNKNOWN"}, "timeline": [{"lang": "en", "time": "2027-04-12T00:00:00.000Z", "value": "Issue identified by CPANSec"}, {"lang": "en", "time": "2027-04-27T00:00:00.000Z", "value": "Issue reported to software maintainer"}, {"lang": "en", "time": "2027-04-27T00:00:00.000Z", "value": "Fix committed to public Github repository"}, {"lang": "en", "time": "2027-04-27T00:00:00.000Z", "value": "Updated version uploaded to CPAN"}], "title": "Starman versions before 0.4018 for Perl allows HTTP Request Smuggling via Improper Header Precedence", "x_generator": {"engine": "cpansec-cna-tool 0.1"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/29/1"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-29T03:04:48.511Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Starman versions before 0.4018 for Perl allows HTTP Request Smuggling via Improper Header Precedence.\n\nStarman incorrectly prioritizes \"Content-Length\" over \"Transfer-Encoding: chunked\" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence.\n\nAn attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy."}], "id": "CVE-2026-40560", "lastModified": "2026-04-29T04:16:41.503", "metrics": {}, "published": "2026-04-29T00:16:03.927", "references": [{"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "url": "https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.3"}, {"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "url": "https://github.com/miyagawa/Starman/commit/ced205f0805027e9d9c0731f8c40b104220604ed.patch"}, {"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "url": "https://metacpan.org/release/MIYAGAWA/Starman-0.4018/changes"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/04/29/1"}], "sourceIdentifier": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-444"}], "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-29T02:05:48.869583+00:00", "value": {"mitigation_remediation": ["Upgrade Starman to version 0.4018 or newer", "Configure the reverse proxy to reject requests that contain both Content-Length and Transfer-Encoding headers", "Verify that incoming requests are validated or sanitized for header consistency before forwarding"], "summary": {"action": "Immediate Patch", "impact": "HTTP Request Smuggling"}, "threat_synthesis": {"affected_systems": "The affected product is Starman for Perl, maintained by MIYAGAWA. All versions preceding 0.4018 are vulnerable. The remedy is to upgrade to Starman 0.4018 or later.", "description_and_impact": "Starman versions earlier than 0.4018 implement HTTP header parsing that prioritizes the Content-Length header over Transfer-Encoding: chunked when both are present. According to RFC 7230, the Transfer-Encoding header must take precedence. Because of this improper precedence, an attacker can craft requests that include both headers and mislead Starman into handling payloads incorrectly. The consequence is that malicious HTTP requests can be smuggled past a front\u2011end reverse proxy, potentially enabling arbitrary request injection, cross\u2011site request forgery, or other attacks against downstream services that the proxy forwards the request to.", "risk_and_exploitability": "The exploit requires an attacker to be able to send crafted HTTP requests to a server running the vulnerable Starman behind a reverse proxy that forwards requests. Because this attack vector depends on the presence of the proxy, it is not a generic cross\u2011platform flaw, but can be highly impactful in environments using Starman for load balancing or reverse proxying. No EPSS score or KEV listing is available, so the current exploitation probability is indeterminate, but the potential impact of request smuggling is high in vulnerable configurations."}}}}, "created": "2026-04-29T02:15:47.403686+00:00", "updated": "2026-04-29T02:15:47.403708+00:00", "vendors": []}