Description
Tinyproxy through 1.11.3 is vulnerable to HTTP request parsing desynchronization due to a case-sensitive comparison of the Transfer-Encoding header in src/reqs.c. The is_chunked_transfer() function uses strcmp() to compare the header value against "chunked", even though RFC 7230 specifies that transfer-coding names are case-insensitive. By sending a request with Transfer-Encoding: Chunked, an unauthenticated remote attacker can cause Tinyproxy to misinterpret the request as having no body. In this state, Tinyproxy sets content_length.client to -1, skips pull_client_data_chunked(), forwards request headers upstream, and transitions into relay_connection() raw TCP forwarding while unread body data remains buffered. This leads to inconsistent request state between Tinyproxy and backend servers. RFC-compliant backends (e.g., Node.js, Nginx) will continue waiting for chunked body data, causing connections to hang indefinitely. This behavior enables application-level denial of service through backend worker exhaustion. Additionally, in deployments where Tinyproxy is used for request-body inspection, filtering, or security enforcement, the unread body may be forwarded without proper inspection, resulting in potential security control bypass.
Published: 2026-04-07
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch Now
AI Analysis

Impact

Tinyproxy up to version 1.11.3 incorrectly processes the Transfer‑Encoding header due to a case‑sensitive string comparison. When an attacker sends a request with "Transfer‑Encoding: Chunked", Tinyproxy treats the request as bodyless, sets the client content length to -1, and forwards the headers downstream while leaving the chunked body data buffered. RFC‑compliant backends then wait for the missing body, causing connections to hang and exhausting backend worker resources. This results in an application‑level denial of service and, in setups where Tinyproxy performs request‑body inspection, a potential bypass of security controls.

Affected Systems

The vulnerable product is Tinyproxy, produced by the Tinyproxy Project. The issue exists in all releases up through 1.11.3 and is mitigated in versions after 1.11.3.

Risk and Exploitability

The vulnerability has a high CVSS score of 8.7 and an EPSS score below 1 %, indicating a low probability of exploitation in the wild. It is not listed in the CISA KEV catalog. An unauthenticated attacker can trigger the flaw by issuing an HTTP request containing a case‑sensitive Transfer‑Encoding header, leading to denial of service of connected backend servers.

Generated by OpenCVE AI on April 7, 2026 at 19:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Tinyproxy to a version newer than 1.11.3, ensuring the case‑sensitive comparison has been fixed.

Generated by OpenCVE AI on April 7, 2026 at 19:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Tinyproxy Project
Tinyproxy Project tinyproxy
Vendors & Products Tinyproxy Project
Tinyproxy Project tinyproxy

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description Tinyproxy through 1.11.3 is vulnerable to HTTP request parsing desynchronization due to a case-sensitive comparison of the Transfer-Encoding header in src/reqs.c. The is_chunked_transfer() function uses strcmp() to compare the header value against "chunked", even though RFC 7230 specifies that transfer-coding names are case-insensitive. By sending a request with Transfer-Encoding: Chunked, an unauthenticated remote attacker can cause Tinyproxy to misinterpret the request as having no body. In this state, Tinyproxy sets content_length.client to -1, skips pull_client_data_chunked(), forwards request headers upstream, and transitions into relay_connection() raw TCP forwarding while unread body data remains buffered. This leads to inconsistent request state between Tinyproxy and backend servers. RFC-compliant backends (e.g., Node.js, Nginx) will continue waiting for chunked body data, causing connections to hang indefinitely. This behavior enables application-level denial of service through backend worker exhaustion. Additionally, in deployments where Tinyproxy is used for request-body inspection, filtering, or security enforcement, the unread body may be forwarded without proper inspection, resulting in potential security control bypass.
Title Tinyproxy HTTP request parsing desynchronization via case-sensitive Transfer-Encoding handling
Weaknesses CWE-444
References
Metrics cvssV2_0

{'score': 7.8, 'vector': 'AV:N/AC:L/Au:N/C:N/I:N/A:C'}

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Tinyproxy Project Tinyproxy
cve-icon MITRE

Status: PUBLISHED

Assigner: TuranSec

Published:

Updated: 2026-04-07T16:30:44.774Z

Reserved: 2026-03-09T18:20:23.398Z

Link: CVE-2026-31842

cve-icon Vulnrichment

Updated: 2026-04-07T16:30:35.022Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-07T12:16:21.040

Modified: 2026-04-07T13:20:11.643

Link: CVE-2026-31842

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:49:47Z

Weaknesses