What is the CVSS score of CVE-2025-63938?

CVE-2025-63938 has a CVSS 3.1 base score of 6.5 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N. EPSS exploitation probability: 0.1%.

Which versions of Tinyproxy are affected by CVE-2025-63938?

Organizations using Tinyproxy through 1.11.2 should be aware of notable risk from CVE-2025-63938, a integer overflow vulnerability rated CVSS 6.5.. A patch is available.

Is there a public PoC exploit available for CVE-2025-63938?

Yes, a public proof-of-concept exploit is available for CVE-2025-63938. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2025-63938?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Vendor patch is available.

Tinyproxy CVE-2025-63938

MEDIUM

Integer Overflow or Wraparound (CWE-190)

2025-11-26 cve@mitre.org

Buffer Overflow Integer Overflow Suse Tinyproxy

6.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 19:24 vuln.today

Patch released

Mar 28, 2026 - 19:24 nvd

Patch available

PoC Detected

Jan 02, 2026 - 20:48 vuln.today

Public exploit code

CVE Published

Nov 26, 2025 - 17:15 nvd

MEDIUM 6.5

DescriptionNVD

Tinyproxy through 1.11.2 contains an integer overflow vulnerability in the strip_return_port() function within src/reqs.c.

AnalysisAI

Tinyproxy through 1.11.2 contains an integer overflow vulnerability in the strip_return_port() function within src/reqs.c. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified as Integer Overflow (CWE-190), which allows attackers to cause unexpected behavior through arithmetic overflow. Tinyproxy through 1.11.2 contains an integer overflow vulnerability in the strip_return_port() function within src/reqs.c. Affected products include: Tinyproxy Project Tinyproxy. Version information: through 1.11.2.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Validate arithmetic operations, use safe integer libraries, check bounds before allocation.

More from same product – last 7 days

CVE-2026-9256 HIGH This Week

8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

Vendor StatusVendor

CVE-2025-63938 vulnerability details – vuln.today

Back

Tinyproxy CVE-2025-63938

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Vendor StatusVendor

Share

External POC / Exploit Code