Gazelle versions through 0.49 for Perl allows HTTP Request Smuggling via Improper Header Precedence.
Gazelle incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence.
An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy.
<= 0.49 - AFFECTED
https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.3
https://security.metacpan.org/patches/G/Gazelle/0.49/CVE-2026-40562-r1.patch
https://metacpan.org/release/KAZEBURO/Gazelle-0.50/changes
Gazelle versions through 0.49 for Perl allows HTTP Request Smuggling via Improper Header...
https://github.com/advisories/GHSA-mjw2-gf6p-382hGazelle versions through 0.49 for Perl allows HTTP Request Smuggling via Improper Header Precedence.
Gazelle incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence.
An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy.
https://nvd.nist.gov/vuln/detail/CVE-2026-40562
https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.3
https://security.metacpan.org/patches/G/Gazelle/0.49/CVE-2026-40562-r1.patch
http://www.openwall.com/lists/oss-security/2026/05/06/7
https://metacpan.org/release/KAZEBURO/Gazelle-0.50/changes
https://github.com/advisories/GHSA-mjw2-gf6p-382h
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-40562",
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"dateUpdated": "2026-05-07T16:13:49.501Z",
"dateReserved": "2026-04-14T11:35:53.644Z",
"datePublished": "2026-05-06T12:36:34.715Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec",
"dateUpdated": "2026-05-07T16:13:49.501Z"
},
"title": "Gazelle versions through 0.49 for Perl allows HTTP Request Smuggling via Improper Header Precedence",
"descriptions": [
{
"lang": "en",
"value": "Gazelle versions through 0.49 for Perl allows HTTP Request Smuggling via Improper Header Precedence.\n\nGazelle incorrectly prioritizes \"Content-Length\" over \"Transfer-Encoding: chunked\" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence.\n\nAn attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy."
}
],
"affected": [
{
"vendor": "KAZEBURO",
"product": "Gazelle",
"collectionURL": "https://cpan.org/modules",
"packageName": "Gazelle",
"programFiles": [
"lib/Plack/Handler/Gazelle.pm",
"lib/Plack/Handler/Gazelle.xs"
],
"programRoutines": [
{
"name": "Plack::Handler::Gazelle::run"
},
{
"name": "lib/Plack/Handler/Gazelle.xs::_parse_http_request"
}
],
"repo": "https://github.com/kazeburo/Gazelle",
"defaultStatus": "unaffected",
"versions": [
{
"version": "0",
"status": "affected",
"versionType": "custom",
"lessThanOrEqual": "0.49"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')",
"cweId": "CWE-444",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.3"
},
{
"url": "https://security.metacpan.org/patches/G/Gazelle/0.49/CVE-2026-40562-r1.patch",
"tags": [
"patch"
]
},
{
"url": "https://metacpan.org/release/KAZEBURO/Gazelle-0.50/changes",
"tags": [
"release-notes"
]
}
],
"impacts": [
{
"capecId": "CAPEC-33",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-33 HTTP Request Smuggling"
}
]
}
],
"workarounds": [
{
"lang": "en",
"value": "Migrate to Starman version 0.4018 or newer which has fixed the issue. Or apply the patch."
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to Gazelle 0.50 or later."
}
],
"timeline": [
{
"time": "2026-04-12T00:00:00.000Z",
"lang": "en",
"value": "Issue identified by CPANSec"
},
{
"time": "2026-04-29T00:00:00.000Z",
"lang": "en",
"value": "Issue reported to software maintainer"
},
{
"time": "2026-05-06T00:00:00.000Z",
"lang": "en",
"value": "Issue disclosed by CPANSec"
},
{
"time": "2026-05-07T00:00:00.000Z",
"lang": "en",
"value": "Gazelle 0.50 released"
}
],
"credits": [
{
"lang": "en",
"value": "CPANSec",
"type": "finder"
}
]
},
"adp": [
{
"providerMetadata": {
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP",
"dateUpdated": "2026-05-06T14:15:32.815Z"
},
"title": "CISA ADP Vulnrichment",
"metrics": [
{
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH"
}
},
{}
]
},
{
"providerMetadata": {
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE",
"dateUpdated": "2026-05-06T16:32:45.619Z"
},
"title": "CVE Program Container",
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/06/7"
}
]
}
]
}
}