HTTP Request Parsing Vulnerability in Tinyproxy by Tinyproxy
CVE-2026-31842

8.7HIGH

Key Information:

Vendor

Tinyproxy Project

Status
Tinyproxy
Vendor
CVE Published:
7 April 2026

What is CVE-2026-31842?

Tinyproxy is susceptible to a flaw in HTTP request parsing that results from a case-sensitive comparison of the Transfer-Encoding header. When it checks against the 'chunked' value using strcmp(), this implementation does not align with RFC 7230, which states that transfer-coding names should be treated as case-insensitive. An unauthenticated remote attacker can exploit this vulnerability by sending a request with the header 'Transfer-Encoding: Chunked'. This leads Tinyproxy to erroneously interpret the request as lacking a body, causing content_length.client to be set to -1 and thereby skipping crucial data handling. Consequently, it forwards request headers upstream and enters a state of raw TCP forwarding, leaving unprocessed body data in the buffer. If the backend server adheres to RFC standards, it will await chunked body data, which may result in indefinite connection hangs and application-level denial of service due to worker exhaustion. Furthermore, in configurations where Tinyproxy oversees request-body inspection or security measures, the unread body could be sent without appropriate evaluation, leading to potential vulnerability exploitations.

Affected Version(s)

Tinyproxy all 0 <= 1.11.3

References

https://github.com/tinyproxy/tinyproxy/issues/604
issue-trackingtechnical-descriptionthird-party-advisory
https://github.com/tinyproxy/tinyproxy
product
https://datatracker.ietf.org/doc/html/rfc7230
technical-description

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Muxammadiyev G'iyosiddin
.