Skip to main content

Node.js CVE-2026-31842

| EUVDEUVD-2026-19603 HIGH
HTTP Request/Response Smuggling (CWE-444)
2026-04-07 TuranSec GHSA-mh87-c4c3-cgwf
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
7.8 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Re-analysis Queued
Apr 29, 2026 - 18:52 vuln.today
cvss_changed
EUVD ID Assigned
Apr 07, 2026 - 11:45 euvd
EUVD-2026-19603
Analysis Generated
Apr 07, 2026 - 11:45 vuln.today
CVE Published
Apr 07, 2026 - 11:17 nvd
HIGH 8.7

DescriptionCVE.org

Tinyproxy through 1.11.3 is vulnerable to HTTP request parsing desynchronization due to a case-sensitive comparison of the Transfer-Encoding header in src/reqs.c. The is_chunked_transfer() function uses strcmp() to compare the header value against "chunked", even though RFC 7230 specifies that transfer-coding names are case-insensitive. By sending a request with Transfer-Encoding: Chunked, an unauthenticated remote attacker can cause Tinyproxy to misinterpret the request as having no body. In this state, Tinyproxy sets content_length.client to -1, skips pull_client_data_chunked(), forwards request headers upstream, and transitions into relay_connection() raw TCP forwarding while unread body data remains buffered. This leads to inconsistent request state between Tinyproxy and backend servers. RFC-compliant backends (e.g., Node.js, Nginx) will continue waiting for chunked body data, causing connections to hang indefinitely. This behavior enables application-level denial of service through backend worker exhaustion. Additionally, in deployments where Tinyproxy is used for request-body inspection, filtering, or security enforcement, the unread body may be forwarded without proper inspection, resulting in potential security control bypass.

AnalysisAI

HTTP request smuggling and denial of service in Tinyproxy through 1.11.3 allows unauthenticated remote attackers to cause backend worker exhaustion and bypass request inspection controls. The vulnerability stems from case-sensitive Transfer-Encoding header parsing that violates RFC 7230, enabling attackers to send 'Transfer-Encoding: Chunked' (capitalized) to desynchronize Tinyproxy's request state from RFC-compliant backends like Node.js and Nginx. No public exploit identified at time of analysis, though EPSS data not available and technical details are publicly documented in GitHub issue #604. Authentication requirements not confirmed from available data, but CVSS vector indicates network-accessible attack requiring no privileges.

Technical ContextAI

The vulnerability exists in Tinyproxy's src/reqs.c file, specifically in the is_chunked_transfer() function which performs case-sensitive string comparison using strcmp() against the literal 'chunked' value. RFC 7230 Section 4 mandates case-insensitive handling of transfer-coding names, meaning 'chunked', 'Chunked', and 'CHUNKED' must be treated identically. This CWE-444 (Inconsistent Interpretation of HTTP Requests) class flaw creates a state desynchronization where Tinyproxy misinterprets capitalized 'Chunked' as having no Transfer-Encoding, sets content_length.client to -1, bypasses pull_client_data_chunked() function, and immediately transitions to relay_connection() raw TCP mode. Meanwhile, RFC-compliant backend servers correctly parse the capitalized header and enter chunked transfer decoding mode, waiting indefinitely for chunk-encoded body data. The buffered but unforwarded request body remains in Tinyproxy's input stream, creating a persistent request-response desynchronization that can propagate to subsequent pipelined requests, a classic HTTP request smuggling condition vector.

RemediationAI

Review GitHub issue https://github.com/tinyproxy/tinyproxy/issues/604 for upstream development status and apply patches when vendor releases fix addressing case-insensitive Transfer-Encoding header comparison. Until patched version becomes available, implement network-layer controls to block or normalize Transfer-Encoding headers with non-lowercase values at perimeter firewalls or WAF devices. For environments requiring immediate risk reduction, consider replacing Tinyproxy with alternative proxy solutions that demonstrate RFC 7230 compliance, or deploy Tinyproxy behind a normalizing reverse proxy that enforces lowercase header canonicalization. Organizations using Tinyproxy for security inspection should audit whether request bodies are being properly validated, as existing deployments may have unknowingly allowed uninspected content through this parsing discrepancy. Monitor backend connection pools for sustained connection exhaustion patterns that may indicate exploitation attempts. Consult RFC 7230 specification at https://datatracker.ietf.org/doc/html/rfc7230 for HTTP compliance requirements and validate any custom proxy implementations against case-insensitivity requirements for transfer-coding directives.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Vendor StatusVendor

SUSE

Severity: High

Share

CVE-2026-31842 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy