Skip to main content

Tinyproxy

7 CVEs product

Monthly

CVE-2026-54388 CRITICAL PATCH Act Now

HTTP request smuggling in Tinyproxy through 1.11.3 allows remote unauthenticated attackers to desynchronize the proxy and its backend by sending requests with multiple Content-Length headers having differing values. Because Tinyproxy forwards all duplicate Content-Length headers while parsing only the first value, downstream servers may interpret request boundaries differently, enabling cache poisoning, access control bypass, and request hijacking. No public exploit identified at time of analysis, but the underlying primitive is well documented and the upstream commit 364cdb6 clearly demonstrates the parsing flaw.

Authentication Bypass Request Smuggling Tinyproxy
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-54387 CRITICAL PATCH Act Now

HTTP request smuggling in Tinyproxy through 1.11.3 lets remote unauthenticated attackers desynchronize the proxy and backend by sending requests carrying both Content-Length and Transfer-Encoding: chunked headers. Tinyproxy forwards both headers verbatim while parsing the body using Content-Length, producing a classic CL.TE desync that enables cache poisoning, access control bypass, and request hijacking against the backend. No public exploit identified at time of analysis, though VulnCheck has published an advisory and the upstream issue/PR describe the bug in detail.

Authentication Bypass Request Smuggling Tinyproxy
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-55202 HIGH PATCH This Week

Authentication bypass in Tinyproxy through 1.11.3 lets unauthenticated remote attackers reach the internal statistics page and smuggle transparent-proxy requests by forging or port-manipulating the HTTP Host header, because stathost detection used a brittle strcmp against the configured hostname. The flaw is a CWE-444 request-interpretation inconsistency reported by VulnCheck; no public exploit identified at time of analysis, though the upstream fix (commit 09312a1) and a detailed PR diff are publicly available, making a working PoC trivial to reconstruct.

Authentication Bypass Request Smuggling Tinyproxy
NVD GitHub VulDB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2025-63938 MEDIUM POC PATCH This Month

Tinyproxy through 1.11.2 contains an integer overflow vulnerability in the strip_return_port() function within src/reqs.c. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Integer Overflow Buffer Overflow Tinyproxy Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2022-40468 HIGH POC This Week

Potential leak of left-over heap data if custom error page templates containing special non-standard variables are used. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Tinyproxy
NVD GitHub
CVSS 3.1
7.5
EPSS
1.4%
CVE-2017-11747 MEDIUM PATCH This Month

main.c in Tinyproxy 1.8.4 and earlier creates a /run/tinyproxy/tinyproxy.pid file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.

Privilege Escalation Tinyproxy
NVD GitHub
CVSS 3.0
5.5
EPSS
0.0%
CVE-2012-3505 MEDIUM This Month

Tinyproxy 1.8.3 and earlier allows remote attackers to cause a denial of service (CPU and memory consumption) via (1) a large number of headers or (2) a large number of forged headers that trigger. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Tinyproxy
NVD
CVSS 2.0
5.0
EPSS
2.5%
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

HTTP request smuggling in Tinyproxy through 1.11.3 allows remote unauthenticated attackers to desynchronize the proxy and its backend by sending requests with multiple Content-Length headers having differing values. Because Tinyproxy forwards all duplicate Content-Length headers while parsing only the first value, downstream servers may interpret request boundaries differently, enabling cache poisoning, access control bypass, and request hijacking. No public exploit identified at time of analysis, but the underlying primitive is well documented and the upstream commit 364cdb6 clearly demonstrates the parsing flaw.

Authentication Bypass Request Smuggling Tinyproxy
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

HTTP request smuggling in Tinyproxy through 1.11.3 lets remote unauthenticated attackers desynchronize the proxy and backend by sending requests carrying both Content-Length and Transfer-Encoding: chunked headers. Tinyproxy forwards both headers verbatim while parsing the body using Content-Length, producing a classic CL.TE desync that enables cache poisoning, access control bypass, and request hijacking against the backend. No public exploit identified at time of analysis, though VulnCheck has published an advisory and the upstream issue/PR describe the bug in detail.

Authentication Bypass Request Smuggling Tinyproxy
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Authentication bypass in Tinyproxy through 1.11.3 lets unauthenticated remote attackers reach the internal statistics page and smuggle transparent-proxy requests by forging or port-manipulating the HTTP Host header, because stathost detection used a brittle strcmp against the configured hostname. The flaw is a CWE-444 request-interpretation inconsistency reported by VulnCheck; no public exploit identified at time of analysis, though the upstream fix (commit 09312a1) and a detailed PR diff are publicly available, making a working PoC trivial to reconstruct.

Authentication Bypass Request Smuggling Tinyproxy
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

Tinyproxy through 1.11.2 contains an integer overflow vulnerability in the strip_return_port() function within src/reqs.c. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Integer Overflow Buffer Overflow Tinyproxy +1
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC This Week

Potential leak of left-over heap data if custom error page templates containing special non-standard variables are used. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Tinyproxy
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

main.c in Tinyproxy 1.8.4 and earlier creates a /run/tinyproxy/tinyproxy.pid file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.

Privilege Escalation Tinyproxy
NVD GitHub
EPSS 3% CVSS 5.0
MEDIUM This Month

Tinyproxy 1.8.3 and earlier allows remote attackers to cause a denial of service (CPU and memory consumption) via (1) a large number of headers or (2) a large number of forged headers that trigger. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Tinyproxy
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy