Starlet HTTP Request Smuggling Vulnerability via Improper Header Precedence

A vulnerability in Starlet versions prior to 0.31 for Perl allows HTTP request smuggling through improper header precedence. Starlet incorrectly prioritizes 'Content-Length' over 'Transfer-Encoding: chunked' when both headers are present, contrary to RFC 7230, which states that 'Transfer-Encoding' must take precedence. This flaw could enable an attacker to smuggle malicious HTTP requests through a front-end reverse proxy.

Impact

Exploitation of this vulnerability could lead to HTTP request smuggling, allowing an attacker to send malicious requests that could be misinterpreted by the server or a reverse proxy, potentially causing unintended behavior or security issues.

Reproduction

The vulnerability can be reproduced by sending an HTTP request that includes both 'Content-Length' and 'Transfer-Encoding: chunked' headers. The server will incorrectly process the request, prioritizing the 'Content-Length' header and allowing for request smuggling. This can be automated with a test script that sends such a request to a Starlet server instance.

Remediation

Users can update to Starlet version 0.31 or later, where this vulnerability has been fixed.