CVE-2026-27630
Received Received - Intake
Slowloris DoS Vulnerability in TinyWeb Server Prior to

Publication date: 2026-02-26

Last updated on: 2026-02-28

Assigner: GitHub, Inc.

Description
TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Versions prior to version 2.02 are vulnerable to a Denial of Service (DoS) attack known as Slowloris. The server spawns a new OS thread for every incoming connection without enforcing a maximum concurrency limit or an appropriate request timeout. An unauthenticated remote attacker can exhaust server concurrency limits and memory by opening numerous connections and sending data exceptionally slowly (e.g. 1 byte every few minutes). Anyone hosting services using TinyWeb is impacted. Version 2.02 fixes the issue. The patch introduces a `CMaxConnections` limit (set to 512) and a `CConnectionTimeoutSecs` idle timeout (set to 30 seconds). As a temporary workaround if upgrading is not immediately possible, consider placing the server behind a robust reverse proxy or Web Application Firewall (WAF) such as nginx, HAProxy, or Cloudflare, configured to buffer incomplete requests and aggressively enforce connection limits and timeouts.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-26
Last Modified
2026-02-28
Generated
2026-06-16
AI Q&A
2026-02-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-27630
EUVD
EUVD-2026-8764
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ritlabs tinyweb to 2.02 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-27630 is a high-severity Denial of Service (DoS) vulnerability affecting TinyWeb HTTP Server versions prior to 2.02. The vulnerability arises because TinyWeb creates a new operating system thread for every incoming connection without enforcing any limits on the maximum number of concurrent connections or setting appropriate request timeouts.'}, {'type': 'paragraph', 'content': 'An unauthenticated remote attacker can exploit this by opening many connections and sending data extremely slowly (for example, one byte every few minutes). This behavior keeps threads and their associated memory occupied indefinitely, exhausting server concurrency limits and memory resources, which prevents legitimate clients from connecting.'}, {'type': 'paragraph', 'content': "The issue is located in the server's connection acceptance loop, where each accepted socket spawns a new thread without checking for concurrency limits or timeouts. The vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption)."}, {'type': 'paragraph', 'content': 'The vulnerability was fixed in TinyWeb version 2.02 by introducing two key mitigations: a maximum connection limit (CMaxConnections) set to 512, and an idle connection timeout (CConnectionTimeoutSecs) set to 30 seconds, which terminates stalled or inactive connections.'}] [1, 2, 3]

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can impact you by causing a Denial of Service (DoS) condition on your TinyWeb server if you are running a version prior to 2.02. An attacker can exhaust your server's resources by opening many slow connections, which will consume all available threads and memory."}, {'type': 'paragraph', 'content': 'As a result, legitimate users will be unable to connect to your web server, leading to service unavailability and potential disruption of your hosted services.'}, {'type': 'paragraph', 'content': 'If you cannot immediately upgrade, a temporary mitigation is to place the TinyWeb server behind a reverse proxy or Web Application Firewall (WAF) such as nginx, HAProxy, or Cloudflare, configured to buffer incomplete requests and enforce strict connection limits and timeouts.'}] [1, 2]

Compliance Impact

I don't know

Detection Guidance

This vulnerability manifests as a Denial of Service (DoS) condition caused by numerous slow connections exhausting server threads and memory. Detection involves monitoring for an unusually high number of concurrent connections to the TinyWeb server, especially connections that send data very slowly (e.g., 1 byte every few minutes).

Network or system administrators can detect potential exploitation by observing many open connections in a half-open or slow state to the TinyWeb server port (usually HTTP/HTTPS ports).

Suggested commands to detect suspicious connections include:

  • Using netstat or ss to list connections and their states, for example: `netstat -anp | grep :80` or `ss -tnp | grep :80` to check for many established or half-open connections.
  • Using tools like `lsof` to identify processes with many open sockets: `lsof -i :80`.
  • Monitoring connection durations and data transfer rates to identify connections that remain open but transfer data extremely slowly.

Because the vulnerability involves slow data transfer to exhaust resources, network traffic analysis tools or intrusion detection systems configured to detect Slowloris-style attacks can also be helpful.

Mitigation Strategies

The primary and recommended mitigation is to upgrade TinyWeb to version 2.02 or later, which includes fixes that enforce a maximum connection limit (512 concurrent connections) and a 30-second idle connection timeout to prevent resource exhaustion.

If immediate upgrading is not possible, deploy the TinyWeb server behind a robust reverse proxy or Web Application Firewall (WAF) such as nginx, HAProxy, or Cloudflare.

Configure the reverse proxy or WAF to buffer incomplete requests and aggressively enforce connection limits and timeouts to mitigate Slowloris-style attacks.

  • Set maximum concurrent connection limits on the proxy to prevent excessive simultaneous connections.
  • Configure idle connection timeouts to close connections that send data too slowly.

These steps help prevent attackers from exhausting server threads and memory by holding connections open indefinitely.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27630. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart