Tinyproxy
CVE-2026-54388
CRITICAL
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Remote unauthenticated smuggling via crafted headers (AV:N/AC:L/PR:N/UI:N); scope changes as the proxy mis-delivers requests to a separate backend authority (S:C); confidentiality and integrity of smuggled/poisoned traffic are high, availability not directly impacted.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Tinyproxy through 1.11.3, fixed in commit 364cdb6, fails to reject requests containing multiple Content-Length headers with differing values, forwarding all duplicate headers to the backend while using the first value to determine how many request body bytes to consume. Remote attackers can desynchronize the proxy and backend parser state, allowing injection of arbitrary HTTP requests to the backend to enable cache poisoning, access control bypass, and request hijacking.
AnalysisAI
HTTP request smuggling in Tinyproxy through 1.11.3 allows remote unauthenticated attackers to desynchronize the proxy and its backend by sending requests with multiple Content-Length headers having differing values. Because Tinyproxy forwards all duplicate Content-Length headers while parsing only the first value, downstream servers may interpret request boundaries differently, enabling cache poisoning, access control bypass, and request hijacking. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires only network reachability to a Tinyproxy instance at or below version 1.11.3 that is forwarding HTTP traffic to a backend whose Content-Length parser disagrees with Tinyproxy's first-header preference (a near-universal condition given common backends like nginx, Apache, and Node-based services). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N) and the 9.3 base score reflect that exploitation requires only an attacker-reachable Tinyproxy instance and crafted HTTP traffic, with no authentication, user interaction, or unusual conditions. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach a vulnerable Tinyproxy instance - for example, an internal user, a tenant on a shared proxy, or any client of an exposed forward proxy - sends a single TCP request containing two Content-Length headers with differing values plus a smuggled second request hidden in the body. Tinyproxy uses the first Content-Length to determine body length and forwards both headers to the backend, which uses the second value, causing the backend to interpret the trailing bytes as a new request attributed to the next legitimate client. … |
| Remediation | Upstream fix available (PR/commit); released patched version not independently confirmed - apply the changes in commit 364cdb6 (https://github.com/tinyproxy/tinyproxy/commit/364cdb67e0ea00a8e4a7037e2693e0711e816adb) by upgrading to a build that includes the patch or by rebuilding from current main, since no tagged release beyond 1.11.3 is referenced in the input. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Tinyproxy deployments and assess which handle sensitive traffic or enforce security policies. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Potential leak of left-over heap data if custom error page templates containing special non-standard variables are used.
Tinyproxy through 1.11.2 contains an integer overflow vulnerability in the strip_return_port() function within src/reqs.
HTTP request smuggling in Tinyproxy through 1.11.3 lets remote unauthenticated attackers desynchronize the proxy and bac
Authentication bypass in Tinyproxy through 1.11.3 lets unauthenticated remote attackers reach the internal statistics pa
main.c in Tinyproxy 1.8.4 and earlier creates a /run/tinyproxy/tinyproxy.pid file after dropping privileges to a non-roo
Tinyproxy 1.8.3 and earlier allows remote attackers to cause a denial of service (CPU and memory consumption) via (1) a
Same weakness CWE-444 – HTTP Request/Response Smuggling
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: Critical| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today