Tinyproxy versions up to 1.11.3 are vulnerable to an HTTP request smuggling flaw. The proxy fails to reconcile conflicting Content‑Length and Transfer‑Encoding: chunked headers, forwarding both verbatim while using Content‑Length to determine how many request body bytes to consume. This desynchronizes the proxy and backend parser, enabling an attacker to inject arbitrary HTTP requests into the backend connection. The attacker can then perform cache poisoning, bypass access control, or hijack requests, potentially altering backend state or exfiltrating data.

All installations of tinyproxy:tinyproxy up to and including version 1.11.3 are affected. The issue was fixed in commit ff45d3b, incorporated into releases 1.11.4 and newer. Users running versions older than 1.11.4 remain exposed.

The vulnerability carries a CVSS score of 9.3, indicating critical severity, but the EPSS score is less than 1%, suggesting that real‑world exploitation is currently rare. It is not listed in the CISA KEV catalog, meaning no publicly documented active exploits exist. Attackers would need network access to the proxy to send specially crafted traffic that includes both Content‑Length and Transfer‑Encoding: chunked headers; authentication is not required. While the potential impact is high, the low exploitation probability advises prioritizing remediation for high‑value targets or environments where the proxy is exposed.