Tinyproxy

2 CVEs product

Monthly

Sort: Newest CVSS Score EPSS Score Oldest
CVE-2026-31842 HIGH This Week

HTTP request smuggling and denial of service in Tinyproxy through 1.11.3 allows unauthenticated remote attackers to cause backend worker exhaustion and bypass request inspection controls. The vulnerability stems from case-sensitive Transfer-Encoding header parsing that violates RFC 7230, enabling attackers to send 'Transfer-Encoding: Chunked' (capitalized) to desynchronize Tinyproxy's request state from RFC-compliant backends like Node.js and Nginx. No public exploit identified at time of analysis, though EPSS data not available and technical details are publicly documented in GitHub issue #604. Authentication requirements not confirmed from available data, but CVSS vector indicates network-accessible attack requiring no privileges.

Request Smuggling Denial Of Service Tinyproxy
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2025-63938 MEDIUM POC PATCH This Month

Tinyproxy through 1.11.2 contains an integer overflow vulnerability in the strip_return_port() function within src/reqs.c. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Integer Overflow Buffer Overflow Tinyproxy Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-31842
EPSS 0% CVSS 8.7
HIGH This Week

HTTP request smuggling and denial of service in Tinyproxy through 1.11.3 allows unauthenticated remote attackers to cause backend worker exhaustion and bypass request inspection controls. The vulnerability stems from case-sensitive Transfer-Encoding header parsing that violates RFC 7230, enabling attackers to send 'Transfer-Encoding: Chunked' (capitalized) to desynchronize Tinyproxy's request state from RFC-compliant backends like Node.js and Nginx. No public exploit identified at time of analysis, though EPSS data not available and technical details are publicly documented in GitHub issue #604. Authentication requirements not confirmed from available data, but CVSS vector indicates network-accessible attack requiring no privileges.

Request Smuggling Denial Of Service Tinyproxy
NVD GitHub VulDB
CVE-2025-63938
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

Tinyproxy through 1.11.2 contains an integer overflow vulnerability in the strip_return_port() function within src/reqs.c. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Integer Overflow Buffer Overflow Tinyproxy +1
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy