CVE-2026-27630
Slowloris DoS Vulnerability in TinyWeb Server Prior to
Publication date: 2026-02-26
Last updated on: 2026-02-28
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ritlabs | tinyweb | to 2.02 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-27630 is a high-severity Denial of Service (DoS) vulnerability affecting TinyWeb HTTP Server versions prior to 2.02. The vulnerability arises because TinyWeb creates a new operating system thread for every incoming connection without enforcing any limits on the maximum number of concurrent connections or setting appropriate request timeouts.'}, {'type': 'paragraph', 'content': 'An unauthenticated remote attacker can exploit this by opening many connections and sending data extremely slowly (for example, one byte every few minutes). This behavior keeps threads and their associated memory occupied indefinitely, exhausting server concurrency limits and memory resources, which prevents legitimate clients from connecting.'}, {'type': 'paragraph', 'content': "The issue is located in the server's connection acceptance loop, where each accepted socket spawns a new thread without checking for concurrency limits or timeouts. The vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption)."}, {'type': 'paragraph', 'content': 'The vulnerability was fixed in TinyWeb version 2.02 by introducing two key mitigations: a maximum connection limit (CMaxConnections) set to 512, and an idle connection timeout (CConnectionTimeoutSecs) set to 30 seconds, which terminates stalled or inactive connections.'}] [1, 2, 3]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability can impact you by causing a Denial of Service (DoS) condition on your TinyWeb server if you are running a version prior to 2.02. An attacker can exhaust your server's resources by opening many slow connections, which will consume all available threads and memory."}, {'type': 'paragraph', 'content': 'As a result, legitimate users will be unable to connect to your web server, leading to service unavailability and potential disruption of your hosted services.'}, {'type': 'paragraph', 'content': 'If you cannot immediately upgrade, a temporary mitigation is to place the TinyWeb server behind a reverse proxy or Web Application Firewall (WAF) such as nginx, HAProxy, or Cloudflare, configured to buffer incomplete requests and enforce strict connection limits and timeouts.'}] [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability manifests as a Denial of Service (DoS) condition caused by numerous slow connections exhausting server threads and memory. Detection involves monitoring for an unusually high number of concurrent connections to the TinyWeb server, especially connections that send data very slowly (e.g., 1 byte every few minutes).
Network or system administrators can detect potential exploitation by observing many open connections in a half-open or slow state to the TinyWeb server port (usually HTTP/HTTPS ports).
Suggested commands to detect suspicious connections include:
- Using netstat or ss to list connections and their states, for example: `netstat -anp | grep :80` or `ss -tnp | grep :80` to check for many established or half-open connections.
- Using tools like `lsof` to identify processes with many open sockets: `lsof -i :80`.
- Monitoring connection durations and data transfer rates to identify connections that remain open but transfer data extremely slowly.
Because the vulnerability involves slow data transfer to exhaust resources, network traffic analysis tools or intrusion detection systems configured to detect Slowloris-style attacks can also be helpful.
What immediate steps should I take to mitigate this vulnerability?
The primary and recommended mitigation is to upgrade TinyWeb to version 2.02 or later, which includes fixes that enforce a maximum connection limit (512 concurrent connections) and a 30-second idle connection timeout to prevent resource exhaustion.
If immediate upgrading is not possible, deploy the TinyWeb server behind a robust reverse proxy or Web Application Firewall (WAF) such as nginx, HAProxy, or Cloudflare.
Configure the reverse proxy or WAF to buffer incomplete requests and aggressively enforce connection limits and timeouts to mitigate Slowloris-style attacks.
- Set maximum concurrent connection limits on the proxy to prevent excessive simultaneous connections.
- Configure idle connection timeouts to close connections that send data too slowly.
These steps help prevent attackers from exhausting server threads and memory by holding connections open indefinitely.