Description
Tinyproxy through 1.11.3, fixed in commit 364cdb6, fails to reject requests containing multiple Content-Length headers with differing values, forwarding all duplicate headers to the backend while using the first value to determine how many request body bytes to consume. Remote attackers can desynchronize the proxy and backend parser state, allowing injection of arbitrary HTTP requests to the backend to enable cache poisoning, access control bypass, and request hijacking.
Published: 2026-06-17
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Tinyproxy accepts requests that contain multiple Content-Length headers with conflicting values. The proxy forwards all duplicate headers to the backend while using only the first header to determine the size of the request body it consumes. This discrepancy desynchronizes the parser state between the proxy and the backend, allowing an attacker to inject arbitrary HTTP requests into the stream. The injected requests can poison caches, bypass access controls, or hijack legitimate traffic.

Affected Systems

All Tinyproxy releases through version 1.11.3 are affected. Versions newer than 1.11.3 that include commit 364cdb67e0ea00a8e4a7037e2693e0711e816adb are not vulnerable.

Risk and Exploitability

The vulnerability has a CVSS score of 9.3, indicating critical severity. An EPSS score of less than 1% suggests a low probability of exploitation so far, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is remote: an attacker sends a crafted HTTP request with duplicate Content-Length headers to the proxy, exploiting the desynchronization to inject malicious requests to the backend server, potentially leading to cache poisoning, authentication bypass, or request hijacking.

Generated by OpenCVE AI on June 18, 2026 at 20:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch by updating Tinyproxy to a version that incorporates commit 364cdb6 or later.
  • Enforce input validation to reject HTTP requests containing duplicate Content-Length headers, addressing the input validation weakness indicated by CWE-444.
  • Use firewall or reverse proxy rules to block or reject incoming traffic with duplicate Content-Length headers.
  • Monitor log entries for duplicate Content-Length headers or abnormal request patterns to detect attempted exploitation.

Generated by OpenCVE AI on June 18, 2026 at 20:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Tinyproxy
Tinyproxy tinyproxy
Vendors & Products Tinyproxy
Tinyproxy tinyproxy

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description Tinyproxy through 1.11.3, fixed in commit 364cdb6, fails to reject requests containing multiple Content-Length headers with differing values, forwarding all duplicate headers to the backend while using the first value to determine how many request body bytes to consume. Remote attackers can desynchronize the proxy and backend parser state, allowing injection of arbitrary HTTP requests to the backend to enable cache poisoning, access control bypass, and request hijacking.
Title Tinyproxy - HTTP Request Smuggling via Duplicate Content-Length Headers
Weaknesses CWE-444
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Tinyproxy Tinyproxy
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-18T15:33:57.017Z

Reserved: 2026-06-12T20:20:02.950Z

Link: CVE-2026-54388

cve-icon Vulnrichment

Updated: 2026-06-18T15:33:50.610Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T21:30:16Z

Weaknesses
  • CWE-444

    Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')