Description
TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Versions prior to version 2.02 are vulnerable to a Denial of Service (DoS) attack known as Slowloris. The server spawns a new OS thread for every incoming connection without enforcing a maximum concurrency limit or an appropriate request timeout. An unauthenticated remote attacker can exhaust server concurrency limits and memory by opening numerous connections and sending data exceptionally slowly (e.g. 1 byte every few minutes). Anyone hosting services using TinyWeb is impacted. Version 2.02 fixes the issue. The patch introduces a `CMaxConnections` limit (set to 512) and a `CConnectionTimeoutSecs` idle timeout (set to 30 seconds). As a temporary workaround if upgrading is not immediately possible, consider placing the server behind a robust reverse proxy or Web Application Firewall (WAF) such as nginx, HAProxy, or Cloudflare, configured to buffer incomplete requests and aggressively enforce connection limits and timeouts.
Published: 2026-02-25
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (DoS) via resource exhaustion
Action: Patch
AI Analysis

Impact

TinyWeb is a Win32 HTTP/HTTPS web server written in Delphi. Prior to version 2.02 it spawns a new OS thread for each incoming connection without imposing a maximum thread limit or an adequate request idle‑timeout. An unauthenticated remote attacker can open many connections and send data very slowly—e.g., one byte every few minutes—in order to exhaust the process’s thread pool and memory, causing a denial of service. The flaw is a resource exhaustion vulnerability (CWE‑400) combined with an uncontrolled creation of worker threads (CWE‑770).

Affected Systems

The vulnerability affects the TinyWeb web server distributed by maximmasiutin (also listed as ritlabs:tinyweb). Versions older than 2.02 are impacted. Any deployment of TinyWeb serving websites or other HTTP services on Windows is vulnerable if it has not been updated to 2.02 or later.

Risk and Exploitability

The CVSS base score is 8.7, indicating high severity. The EPSS score is below 1 %, suggesting a low but non‑zero probability of exploitation at present; the vulnerability is not currently listed in the CISA KEV catalog. Attackers need only open multiple slow connections without authentication, making the exploit trivial to automate. If successful, the attack will consume operating system threads and memory until the server becomes unresponsive, leading to service interruption for all legitimate users.

Generated by OpenCVE AI on April 17, 2026 at 14:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade TinyWeb to version 2.02 or later, applying the built‑in concurrency limit and timeout settings.
  • Adjust the CMaxConnections configuration to match the desired maximum number of concurrent connections, ensuring it is not set excessively high.
  • Set or confirm the CConnectionTimeoutSecs idle‑timeout value so that threads terminate after no activity for 30 seconds.
  • If an upgrade cannot be performed immediately, place TinyWeb behind a reverse proxy or Web Application Firewall such as nginx, HAProxy or Cloudflare, enabling aggressive connection limits, request buffering and idle‑timeout enforcement.

Generated by OpenCVE AI on April 17, 2026 at 14:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 28 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
First Time appeared Ritlabs
Ritlabs tinyweb
Weaknesses CWE-770
CPEs cpe:2.3:a:ritlabs:tinyweb:*:*:*:*:*:*:*:*
Vendors & Products Ritlabs
Ritlabs tinyweb
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Thu, 26 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Maximmasiutin
Maximmasiutin tinyweb
Vendors & Products Maximmasiutin
Maximmasiutin tinyweb

Wed, 25 Feb 2026 23:30:00 +0000

Type Values Removed Values Added
Description TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Versions prior to version 2.02 are vulnerable to a Denial of Service (DoS) attack known as Slowloris. The server spawns a new OS thread for every incoming connection without enforcing a maximum concurrency limit or an appropriate request timeout. An unauthenticated remote attacker can exhaust server concurrency limits and memory by opening numerous connections and sending data exceptionally slowly (e.g. 1 byte every few minutes). Anyone hosting services using TinyWeb is impacted. Version 2.02 fixes the issue. The patch introduces a `CMaxConnections` limit (set to 512) and a `CConnectionTimeoutSecs` idle timeout (set to 30 seconds). As a temporary workaround if upgrading is not immediately possible, consider placing the server behind a robust reverse proxy or Web Application Firewall (WAF) such as nginx, HAProxy, or Cloudflare, configured to buffer incomplete requests and aggressively enforce connection limits and timeouts.
Title TinyWeb vulnerable to Remote Denial of Service via Thread/Connection Exhaustion (Slowloris)
Weaknesses CWE-400
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Maximmasiutin Tinyweb
Ritlabs Tinyweb
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T16:50:51.538Z

Reserved: 2026-02-20T22:02:30.028Z

Link: CVE-2026-27630

cve-icon Vulnrichment

Updated: 2026-02-26T16:47:51.396Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T00:16:23.813

Modified: 2026-02-28T01:01:22.727

Link: CVE-2026-27630

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:45:21Z

Weaknesses