CVE-2026-31842

Tinyproxy through 1.11.3 is vulnerable to HTTP request parsing desynchronization due to a case-sensitive comparison of the Transfer-Encoding header in src/reqs.c. The is_chunked_transfer() function uses strcmp() to compare the header value against "chunked", even though RFC 7230 specifies that transfer-coding names are case-insensitive. By sending a request with Transfer-Encoding: Chunked, an unauthenticated remote attacker can cause Tinyproxy to misinterpret the request as having no body. In this state, Tinyproxy sets content_length.client to -1, skips pull_client_data_chunked(), forwards request headers upstream, and transitions into relay_connection() raw TCP forwarding while unread body data remains buffered. This leads to inconsistent request state between Tinyproxy and backend servers. RFC-compliant backends (e.g., Node.js, Nginx) will continue waiting for chunked body data, causing connections to hang indefinitely. This behavior enables application-level denial of service through backend worker exhaustion. Additionally, in deployments where Tinyproxy is used for request-body inspection, filtering, or security enforcement, the unread body may be forwarded without proper inspection, resulting in potential security control bypass.

CVSS v3 7.5 HIGH
CVSS v2.0 7.8 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

7.8^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:N/I:N/A:C

Exploitability : 10.0 / Impact : 6.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact COMPLETE

References

Link	Resource
https://datatracker.ietf.org/doc/html/rfc7230	Exploit Technical Description
https://github.com/tinyproxy/tinyproxy	Product
https://github.com/tinyproxy/tinyproxy/issues/604	Exploit Issue Tracking

Configurations

Configuration 1 (hide)

cpe:2.3:a:tinyproxy_project:tinyproxy:*:*:*:*:*:*:*:*

History

29 Apr 2026, 18:51

Type	Values Removed	Values Added
First Time		Tinyproxy Project tinyproxy Tinyproxy Project
CPE		cpe:2.3:a:tinyproxy_project:tinyproxy::::::::
References	~~() https://datatracker.ietf.org/doc/html/rfc7230 -~~	() https://datatracker.ietf.org/doc/html/rfc7230 - Exploit, Technical Description
References	~~() https://github.com/tinyproxy/tinyproxy -~~	() https://github.com/tinyproxy/tinyproxy - Product
References	~~() https://github.com/tinyproxy/tinyproxy/issues/604 -~~	() https://github.com/tinyproxy/tinyproxy/issues/604 - Exploit, Issue Tracking

07 Apr 2026, 12:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-07 12:16

Updated : 2026-04-29 18:51

NVD link : CVE-2026-31842

Mitre link : CVE-2026-31842

CVE.ORG link : CVE-2026-31842

JSON object : View

Products Affected

tinyproxy_project

tinyproxy

CWE

CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

7.5 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

7.8 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact COMPLETE

JSON object

Attach tags to CVE-2026-31842

7.5^/10

7.8^/10

Attach tags to `CVE-2026-31842`