Tinyproxy
CVE-2026-54387
CRITICAL
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable proxy, no auth or user interaction, low complexity; smuggling crosses a trust boundary into the backend so Scope:Changed, with high confidentiality/integrity impact and no availability hit.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Tinyproxy through 1.11.3, fixed in commit ff45d3b, fails to reconcile conflicting Content-Length and Transfer-Encoding: chunked headers, forwarding both verbatim to the backend while using Content-Length to determine how many request body bytes to consume. Remote attackers can desynchronize the proxy and backend parser state, allowing injection of arbitrary HTTP requests to the backend to enable cache poisoning, access control bypass, and request hijacking.
AnalysisAI
HTTP request smuggling in Tinyproxy through 1.11.3 lets remote unauthenticated attackers desynchronize the proxy and backend by sending requests carrying both Content-Length and Transfer-Encoding: chunked headers. Tinyproxy forwards both headers verbatim while parsing the body using Content-Length, producing a classic CL.TE desync that enables cache poisoning, access control bypass, and request hijacking against the backend. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker needs only network reachability to a Tinyproxy listener (any version up to and including 1.11.3) that forwards to a backend; per CVSS PR:N/UI:N/AT:N the attack is unauthenticated, requires no user interaction, and works against default Tinyproxy configurations because the header-reconciliation flaw is in core request handling, not behind an optional feature. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N) of 9.3 Critical is consistent with the description: any reachable Tinyproxy instance can be hit with crafted HTTP requests, no authentication, no user interaction, with high confidentiality and integrity impact on smuggled-to backends and zero availability impact (a desync rarely DoSes the proxy itself). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker reachable to a Tinyproxy listener sends a single HTTP request containing a Content-Length header sized to cover only the visible request, plus a Transfer-Encoding: chunked header whose body smuggles a second hidden request (for example, a POST to an admin endpoint or a request that poisons a downstream cache key). Tinyproxy consumes only Content-Length bytes and forwards the full payload, so the backend treats the trailing bytes as the next pipelined request from a trusted source, allowing the attacker to hijack a victim's session, bypass IP/path ACLs, or poison a shared cache. … |
| Remediation | Upstream fix available (PR #610 / commit ff45d3b); released patched version not independently confirmed, so operators should either build Tinyproxy from a tree containing commit ff45d3bf0e61d0f8ed97ab379d3047f04eb67521 or wait for and install a distribution package that backports it (track https://github.com/tinyproxy/tinyproxy/pull/610 and the VulnCheck advisory). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems running Tinyproxy 1.11.3 or earlier and assess their exposure and role in request handling. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Potential leak of left-over heap data if custom error page templates containing special non-standard variables are used.
Tinyproxy through 1.11.2 contains an integer overflow vulnerability in the strip_return_port() function within src/reqs.
HTTP request smuggling in Tinyproxy through 1.11.3 allows remote unauthenticated attackers to desynchronize the proxy an
Authentication bypass in Tinyproxy through 1.11.3 lets unauthenticated remote attackers reach the internal statistics pa
main.c in Tinyproxy 1.8.4 and earlier creates a /run/tinyproxy/tinyproxy.pid file after dropping privileges to a non-roo
Tinyproxy 1.8.3 and earlier allows remote attackers to cause a denial of service (CPU and memory consumption) via (1) a
Same weakness CWE-444 – HTTP Request/Response Smuggling
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: Critical| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today