Tinyproxy
CVE-2025-63938
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Tinyproxy through 1.11.2 contains an integer overflow vulnerability in the strip_return_port() function within src/reqs.c.
AnalysisAI
Tinyproxy through 1.11.2 contains an integer overflow vulnerability in the strip_return_port() function within src/reqs.c. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified as Integer Overflow (CWE-190), which allows attackers to cause unexpected behavior through arithmetic overflow. Tinyproxy through 1.11.2 contains an integer overflow vulnerability in the strip_return_port() function within src/reqs.c. Affected products include: Tinyproxy Project Tinyproxy. Version information: through 1.11.2.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Validate arithmetic operations, use safe integer libraries, check bounds before allocation.
Potential leak of left-over heap data if custom error page templates containing special non-standard variables are used.
HTTP request smuggling in Tinyproxy through 1.11.3 allows remote unauthenticated attackers to desynchronize the proxy an
HTTP request smuggling in Tinyproxy through 1.11.3 lets remote unauthenticated attackers desynchronize the proxy and bac
Authentication bypass in Tinyproxy through 1.11.3 lets unauthenticated remote attackers reach the internal statistics pa
main.c in Tinyproxy 1.8.4 and earlier creates a /run/tinyproxy/tinyproxy.pid file after dropping privileges to a non-roo
Tinyproxy 1.8.3 and earlier allows remote attackers to cause a denial of service (CPU and memory consumption) via (1) a
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Integer Overflow
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today