CVE-2026-31842
HTTP Request Parsing Desync in Tinyproxy Causes DoS and Bypass
Publication date: 2026-04-07
Last updated on: 2026-04-29
Assigner: 309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tinyproxy_project | tinyproxy | to 1.11.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-444 | The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-31842 is a vulnerability in Tinyproxy up to version 1.11.3 caused by improper, case-sensitive handling of the HTTP Transfer-Encoding header. Tinyproxy's function that checks if a request uses chunked transfer encoding compares the header value using a case-sensitive string comparison against "chunked". However, according to RFC 7230, transfer-coding names are case-insensitive, so "Chunked" should be treated the same as "chunked".
Because of this, if an attacker sends a request with "Transfer-Encoding: Chunked" (capitalized 'C'), Tinyproxy fails to recognize it as chunked encoding. It then misinterprets the request as having no body, skips processing the chunked body, and immediately forwards the headers upstream while switching to raw TCP forwarding mode. This causes the backend server, which expects chunked data, to hang waiting for the body that Tinyproxy never properly forwards.
This desynchronization between Tinyproxy and backend servers leads to inconsistent request states and can be exploited to cause denial of service or bypass security controls.
How can this vulnerability impact me? :
This vulnerability can impact you in two main ways:
- Application-level Denial of Service (DoS): By sending specially crafted requests with "Transfer-Encoding: Chunked", an attacker can cause backend servers to hang indefinitely waiting for chunked body data that Tinyproxy does not properly forward. This can exhaust backend worker resources and cause service outages.
- Security Control Bypass: In deployments where Tinyproxy is used to inspect, filter, or enforce security policies on request bodies, the unread chunked body data may be forwarded without inspection. This allows attackers to bypass Web Application Firewalls (WAFs), ICAP filters, or other security mechanisms relying on Tinyproxy's parsing.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP requests passing through Tinyproxy for the presence of the Transfer-Encoding header with a capitalized value "Chunked" instead of the lowercase "chunked". Since the vulnerability arises from case-sensitive comparison, requests with "Transfer-Encoding: Chunked" cause Tinyproxy to misinterpret the request.
A practical detection approach is to capture and inspect HTTP traffic to identify requests with the header "Transfer-Encoding: Chunked". Network packet capture tools like tcpdump or Wireshark can be used for this purpose.
- Use tcpdump to capture HTTP traffic on the proxy port (e.g., port 8888): tcpdump -A -s 0 'tcp port 8888 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i 'Transfer-Encoding: Chunked'
- Use tshark (Wireshark CLI) to filter HTTP requests with the header: tshark -i <interface> -Y 'http.header.transfer_encoding == "Chunked"' -T fields -e http.host -e http.request.uri
Additionally, reviewing Tinyproxy logs for unusual connection hangs or backend timeouts may help identify exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include preventing the exploitation of the case-sensitive comparison flaw in Tinyproxy by either updating or configuring the environment to avoid the problematic behavior.
- If possible, upgrade Tinyproxy to a version where the comparison of the Transfer-Encoding header is done case-insensitively (e.g., replacing strcmp() with strcasecmp()). However, no current patches or pull requests addressing this issue are noted.
- Implement network-level filtering to block or normalize HTTP requests containing the header "Transfer-Encoding: Chunked" with a capitalized 'C' before they reach Tinyproxy.
- Configure backend servers to have appropriate timeouts and limits to mitigate the impact of hanging connections caused by this vulnerability.
Since the vulnerability allows bypassing request-body inspection, consider deploying additional security controls downstream that do not rely solely on Tinyproxy for filtering.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability in Tinyproxy allows an unauthenticated remote attacker to bypass request-body inspection and filtering by exploiting case-sensitive handling of the Transfer-Encoding header. As a result, security controls relying on Tinyproxy for request-body inspection may be bypassed, potentially allowing malicious payloads to reach backend systems without proper scrutiny.
Such bypasses of security controls can lead to unauthorized data exposure or manipulation, which may impact compliance with regulations like GDPR or HIPAA that require protection of sensitive data and enforcement of security policies.
Additionally, the vulnerability can cause backend denial of service, potentially disrupting availability requirements mandated by these standards.