CVE-2026-40562

Published: Mag 06, 2026 Last Modified: Mag 06, 2026
ExploitDB:
Other exploit source:
Google Dorks:

Description

AI Translation Available

Gazelle versions through 0.49 for Perl allows HTTP Request Smuggling via Improper Header Precedence.

Gazelle incorrectly prioritizes 'Content-Length' over 'Transfer-Encoding: chunked' when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence.

An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy.

444

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Incomplete
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Integrity Non-Repudiation Access Control
Potential Impacts:
Unexpected State Hide Activities Bypass Protection Mechanism
Applicable Platforms
Technologies: Web Based, Web Server
View CWE Details
https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.3
https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.3
https://security.metacpan.org/patches/G/Gazelle/0.49/CVE-20…
https://security.metacpan.org/patches/G/Gazelle/0.49/CVE-2026-40562-r1.patch