CVE-2026-31842
Received Received - Intake
HTTP Request Parsing Desync in Tinyproxy Causes DoS and Bypass

Publication date: 2026-04-07

Last updated on: 2026-04-29

Assigner: 309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c

Description
Tinyproxy through 1.11.3 is vulnerable to HTTP request parsing desynchronization due to a case-sensitive comparison of the Transfer-Encoding header in src/reqs.c. The is_chunked_transfer() function uses strcmp() to compare the header value against "chunked", even though RFC 7230 specifies that transfer-coding names are case-insensitive. By sending a request with Transfer-Encoding: Chunked, an unauthenticated remote attacker can cause Tinyproxy to misinterpret the request as having no body. In this state, Tinyproxy sets content_length.client to -1, skips pull_client_data_chunked(), forwards request headers upstream, and transitions into relay_connection() raw TCP forwarding while unread body data remains buffered. This leads to inconsistent request state between Tinyproxy and backend servers. RFC-compliant backends (e.g., Node.js, Nginx) will continue waiting for chunked body data, causing connections to hang indefinitely. This behavior enables application-level denial of service through backend worker exhaustion. Additionally, in deployments where Tinyproxy is used for request-body inspection, filtering, or security enforcement, the unread body may be forwarded without proper inspection, resulting in potential security control bypass.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31842
EUVD
EUVD-2026-19603
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tinyproxy_project tinyproxy to 1.11.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-444 The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-31842 is a vulnerability in Tinyproxy up to version 1.11.3 caused by improper, case-sensitive handling of the HTTP Transfer-Encoding header. Tinyproxy's function that checks if a request uses chunked transfer encoding compares the header value using a case-sensitive string comparison against "chunked". However, according to RFC 7230, transfer-coding names are case-insensitive, so "Chunked" should be treated the same as "chunked".

Because of this, if an attacker sends a request with "Transfer-Encoding: Chunked" (capitalized 'C'), Tinyproxy fails to recognize it as chunked encoding. It then misinterprets the request as having no body, skips processing the chunked body, and immediately forwards the headers upstream while switching to raw TCP forwarding mode. This causes the backend server, which expects chunked data, to hang waiting for the body that Tinyproxy never properly forwards.

This desynchronization between Tinyproxy and backend servers leads to inconsistent request states and can be exploited to cause denial of service or bypass security controls.

Impact Analysis

This vulnerability can impact you in two main ways:

  • Application-level Denial of Service (DoS): By sending specially crafted requests with "Transfer-Encoding: Chunked", an attacker can cause backend servers to hang indefinitely waiting for chunked body data that Tinyproxy does not properly forward. This can exhaust backend worker resources and cause service outages.
  • Security Control Bypass: In deployments where Tinyproxy is used to inspect, filter, or enforce security policies on request bodies, the unread chunked body data may be forwarded without inspection. This allows attackers to bypass Web Application Firewalls (WAFs), ICAP filters, or other security mechanisms relying on Tinyproxy's parsing.
Detection Guidance

This vulnerability can be detected by monitoring HTTP requests passing through Tinyproxy for the presence of the Transfer-Encoding header with a capitalized value "Chunked" instead of the lowercase "chunked". Since the vulnerability arises from case-sensitive comparison, requests with "Transfer-Encoding: Chunked" cause Tinyproxy to misinterpret the request.

A practical detection approach is to capture and inspect HTTP traffic to identify requests with the header "Transfer-Encoding: Chunked". Network packet capture tools like tcpdump or Wireshark can be used for this purpose.

  • Use tcpdump to capture HTTP traffic on the proxy port (e.g., port 8888): tcpdump -A -s 0 'tcp port 8888 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i 'Transfer-Encoding: Chunked'
  • Use tshark (Wireshark CLI) to filter HTTP requests with the header: tshark -i <interface> -Y 'http.header.transfer_encoding == "Chunked"' -T fields -e http.host -e http.request.uri

Additionally, reviewing Tinyproxy logs for unusual connection hangs or backend timeouts may help identify exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include preventing the exploitation of the case-sensitive comparison flaw in Tinyproxy by either updating or configuring the environment to avoid the problematic behavior.

  • If possible, upgrade Tinyproxy to a version where the comparison of the Transfer-Encoding header is done case-insensitively (e.g., replacing strcmp() with strcasecmp()). However, no current patches or pull requests addressing this issue are noted.
  • Implement network-level filtering to block or normalize HTTP requests containing the header "Transfer-Encoding: Chunked" with a capitalized 'C' before they reach Tinyproxy.
  • Configure backend servers to have appropriate timeouts and limits to mitigate the impact of hanging connections caused by this vulnerability.

Since the vulnerability allows bypassing request-body inspection, consider deploying additional security controls downstream that do not rely solely on Tinyproxy for filtering.

Compliance Impact

This vulnerability in Tinyproxy allows an unauthenticated remote attacker to bypass request-body inspection and filtering by exploiting case-sensitive handling of the Transfer-Encoding header. As a result, security controls relying on Tinyproxy for request-body inspection may be bypassed, potentially allowing malicious payloads to reach backend systems without proper scrutiny.

Such bypasses of security controls can lead to unauthorized data exposure or manipulation, which may impact compliance with regulations like GDPR or HIPAA that require protection of sensitive data and enforcement of security policies.

Additionally, the vulnerability can cause backend denial of service, potentially disrupting availability requirements mandated by these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31842. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart