Critical HTTP Request Smuggling Vulnerability in Starman Web Server

Severity: High (Score: 72.6)

Sources: Linuxsecurity

Summary

A critical vulnerability has been identified in Starman versions prior to 0.4018, allowing HTTP Request Smuggling due to improper header precedence. The issue arises when both 'Content-Length' and 'Transfer-Encoding: chunked' headers are present, with Starman incorrectly prioritizing 'Content-Length'. This flaw, documented as CVE-2026-40560, could enable attackers to smuggle malicious HTTP requests through a front-end reverse proxy. The vulnerability affects various Linux distributions, including Fedora and Mageia, prompting urgent updates. The fix has been implemented in Starman version 0.4018, released on April 29, 2026. Users are advised to update their systems immediately to mitigate the risk of exploitation. The vulnerability was published on April 28, 2026, and poses a significant threat to web applications relying on this server. Key Points: • Starman versions before 0.4018 are vulnerable to HTTP Request Smuggling. • The vulnerability is due to improper header precedence between 'Content-Length' and 'Transfer-Encoding'. • Users must update to Starman 0.4018 to mitigate the risk of exploitation.

Key Entities

• HTTP Request Smuggling (vulnerability)
• HTTP Request Smuggling Via Improper Header Precedence (vulnerability)
• Zero-day Exploit (attack_type)
• CVE-2026-40560 (cve)
• T1190 - Exploit Public-Facing Application (mitre_attack)
• Fedora (company)
• Mageia (platform)
• PSGI (platform)
• Starman (platform)
• Perl (tool)