Description
An integer overflow vulnerability in the HTTP chunked transfer encoding parser in tinyproxy up to and including version 1.11.3 allows an unauthenticated remote attacker to cause a denial of service (DoS). The issue occurs because chunk size values are parsed using strtol() without properly validating overflow conditions (e.g., errno == ERANGE). A crafted chunk size such as 0x7fffffffffffffff (LONG_MAX) bypasses the existing validation check (chunklen < 0), leading to a signed integer overflow during arithmetic operations (chunklen + 2). This results in incorrect size calculations, causing the proxy to attempt reading an extremely large amount of request-body data and holding worker connections open indefinitely. An attacker can exploit this behavior to exhaust all available worker slots, preventing new connections from being accepted and causing complete service unavailability. Upstream addressed this issue in commit bb7edc4; however, the latest stable release (1.11.3) remains affected at the time of publication.
Published: 2026-03-30
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

An integer overflow occurs in Tinyproxy's HTTP chunked transfer encoding parser when parsing chunk size values. The vulnerability allows an unauthenticated remote attacker to send a crafted chunk size that overflows during arithmetic operations, leading the proxy to calculate an enormous request-body size and keep worker connections open. The result is a denial of service, as all worker slots can be exhausted, preventing new connections from being accepted and rendering the proxy unavailable.

Affected Systems

The product affected is the Tinyproxy proxy server. Versions up to and including 1.11.3 lack the necessary overflow check. The issue applies to the Tinyproxy Tinyproxy package used across all supported platforms.

Risk and Exploitability

The CVSS base score of 8.7 indicates high severity, and the vulnerability is exploitable remotely without authentication by sending a specially crafted HTTP request. EPSS data is not available and the vulnerability is not listed in CISA's KEV catalog. The likely attack vector is an unauthenticated HTTP client that can send a large chunk size value, bypassing the validation and causing the proxy to enter a crash or hang state, thus impacting service availability.

Generated by OpenCVE AI on March 30, 2026 at 08:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Tinyproxy to a version newer than 1.11.3 that includes fix from commit bb7edc4.
  • If an upgraded release is unavailable, apply the upstream patch from commit bb7edc4 directly to the source code and rebuild the proxy.
  • After applying the patch, monitor proxy logs for unusual large chunk size requests and ensure that only trusted clients can access the proxy.

Generated by OpenCVE AI on March 30, 2026 at 08:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Tinyproxy
Tinyproxy tinyproxy
Vendors & Products Tinyproxy
Tinyproxy tinyproxy

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Title Integer Overflow in Tinyproxy Chunked Transfer Parsing Causes DoS

Mon, 30 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:30:00 +0000

Type Values Removed Values Added
Description An integer overflow vulnerability in the HTTP chunked transfer encoding parser in tinyproxy up to and including version 1.11.3 allows an unauthenticated remote attacker to cause a denial of service (DoS). The issue occurs because chunk size values are parsed using strtol() without properly validating overflow conditions (e.g., errno == ERANGE). A crafted chunk size such as 0x7fffffffffffffff (LONG_MAX) bypasses the existing validation check (chunklen < 0), leading to a signed integer overflow during arithmetic operations (chunklen + 2). This results in incorrect size calculations, causing the proxy to attempt reading an extremely large amount of request-body data and holding worker connections open indefinitely. An attacker can exploit this behavior to exhaust all available worker slots, preventing new connections from being accepted and causing complete service unavailability. Upstream addressed this issue in commit bb7edc4; however, the latest stable release (1.11.3) remains affected at the time of publication.
Weaknesses CWE-190
References
Metrics cvssV2_0

{'score': 7.8, 'vector': 'AV:N/AC:L/Au:N/C:N/I:N/A:C'}

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Tinyproxy Tinyproxy
cve-icon MITRE

Status: PUBLISHED

Assigner: TuranSec

Published:

Updated: 2026-03-30T15:02:33.584Z

Reserved: 2026-03-11T08:30:57.837Z

Link: CVE-2026-3945

cve-icon Vulnrichment

Updated: 2026-03-30T15:02:22.371Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-30T08:16:17.653

Modified: 2026-03-30T13:26:07.647

Link: CVE-2026-3945

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:41:14Z

Weaknesses