Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Tinyproxy through 1.11.3 is vulnerable to HTTP request parsing desynchronization due to a case-sensitive comparison of the Transfer-Encoding header in src/reqs.c. The is_chunked_transfer() function uses strcmp() to compare the header value against "chunked", even though RFC 7230 specifies that transfer-coding names are case-insensitive. By sending a request with Transfer-Encoding: Chunked, an unauthenticated remote attacker can cause Tinyproxy to misinterpret the request as having no body. In this state, Tinyproxy sets content_length.client to -1, skips pull_client_data_chunked(), forwards request headers upstream, and transitions into relay_connection() raw TCP forwarding while unread body data remains buffered. This leads to inconsistent request state between Tinyproxy and backend servers. RFC-compliant backends (e.g., Node.js, Nginx) will continue waiting for chunked body data, causing connections to hang indefinitely. This behavior enables application-level denial of service through backend worker exhaustion. Additionally, in deployments where Tinyproxy is used for request-body inspection, filtering, or security enforcement, the unread body may be forwarded without proper inspection, resulting in potential security control bypass.
AnalysisAI
HTTP request smuggling and denial of service in Tinyproxy through 1.11.3 allows unauthenticated remote attackers to cause backend worker exhaustion and bypass request inspection controls. The vulnerability stems from case-sensitive Transfer-Encoding header parsing that violates RFC 7230, enabling attackers to send 'Transfer-Encoding: Chunked' (capitalized) to desynchronize Tinyproxy's request state from RFC-compliant backends like Node.js and Nginx. No public exploit identified at time of analysis, though EPSS data not available and technical details are publicly documented in GitHub issue #604. Authentication requirements not confirmed from available data, but CVSS vector indicates network-accessible attack requiring no privileges.
Technical ContextAI
The vulnerability exists in Tinyproxy's src/reqs.c file, specifically in the is_chunked_transfer() function which performs case-sensitive string comparison using strcmp() against the literal 'chunked' value. RFC 7230 Section 4 mandates case-insensitive handling of transfer-coding names, meaning 'chunked', 'Chunked', and 'CHUNKED' must be treated identically. This CWE-444 (Inconsistent Interpretation of HTTP Requests) class flaw creates a state desynchronization where Tinyproxy misinterprets capitalized 'Chunked' as having no Transfer-Encoding, sets content_length.client to -1, bypasses pull_client_data_chunked() function, and immediately transitions to relay_connection() raw TCP mode. Meanwhile, RFC-compliant backend servers correctly parse the capitalized header and enter chunked transfer decoding mode, waiting indefinitely for chunk-encoded body data. The buffered but unforwarded request body remains in Tinyproxy's input stream, creating a persistent request-response desynchronization that can propagate to subsequent pipelined requests, a classic HTTP request smuggling condition vector.
RemediationAI
Review GitHub issue https://github.com/tinyproxy/tinyproxy/issues/604 for upstream development status and apply patches when vendor releases fix addressing case-insensitive Transfer-Encoding header comparison. Until patched version becomes available, implement network-layer controls to block or normalize Transfer-Encoding headers with non-lowercase values at perimeter firewalls or WAF devices. For environments requiring immediate risk reduction, consider replacing Tinyproxy with alternative proxy solutions that demonstrate RFC 7230 compliance, or deploy Tinyproxy behind a normalizing reverse proxy that enforces lowercase header canonicalization. Organizations using Tinyproxy for security inspection should audit whether request bodies are being properly validated, as existing deployments may have unknowingly allowed uninspected content through this parsing discrepancy. Monitor backend connection pools for sustained connection exhaustion patterns that may indicate exploitation attempts. Consult RFC 7230 specification at https://datatracker.ietf.org/doc/html/rfc7230 for HTTP compliance requirements and validate any custom proxy implementations against case-insensitivity requirements for transfer-coding directives.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se
Same weakness CWE-444 – HTTP Request/Response Smuggling
View allSame technique Request Smuggling
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19603
GHSA-mh87-c4c3-cgwf