CVE-2026-40562

High

Published: 06 May 2026

Published

06 May 2026

Modified

06 May 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS Score N/A

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Gazelle versions through 0.49 for Perl allows HTTP Request Smuggling via Improper Header Precedence. Gazelle incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence. An attacker…

could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy.

Security SummaryAI

Automated synthesis unavailable for this CVE.

Details

CWE(s): CWE-444

References

https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.3
9b29abf9-4ab0-4765-b253-1875cd9b441e
https://security.metacpan.org/patches/G/Gazelle/0.49/CVE-2026-40562-r1.patch
9b29abf9-4ab0-4765-b253-1875cd9b441e
http://www.openwall.com/lists/oss-security/2026/05/06/7
af854a3a-2127-422b-91ae-364da2661108