Vulnerability-Lookup

WID-SEC-W-2026-0999

Vulnerability from csaf_certbund - Published: 2026-04-07 22:00 - Updated: 2026-04-12 22:00

Summary

Tinyproxy: Schwachstelle ermöglicht Denial of Service

Severity

Mittel

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Tinyproxy ist ein HTTP/HTTPS-Proxy-Daemon für POSIX-Betriebssysteme.

Angriff: Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Tinyproxy ausnutzen, um einen Denial of Service Angriff durchzuführen oder Sicherheitsmaßnahmen zu umgehen.

Betroffene Betriebssysteme: - Sonstiges - UNIX

CVE-2026-31842

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Fedora Linux Fedora	`cpe:/o:fedoraproject:fedora:-`	—

Last affected 1 product

Product	Identifier	Version	Remediation
Open Source Tinyproxy <=1.11.3 Open Source / Tinyproxy		<=1.11.3

References

15 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://github.com/tinyproxy/tinyproxy/issues/604	external
https://bugzilla.redhat.com/show_bug.cgi?id=2455893	external
https://github.com/advisories/GHSA-MH87-C4C3-CGWF	external
https://euvd.enisa.europa.eu/enisa/EUVD-2026-19603	external
https://bodhi.fedoraproject.org/updates/FEDORA-20…	external
https://bodhi.fedoraproject.org/updates/FEDORA-20…	external
https://bodhi.fedoraproject.org/updates/FEDORA-20…	external
https://bodhi.fedoraproject.org/updates/FEDORA-EP…	external
https://bodhi.fedoraproject.org/updates/FEDORA-EP…	external
https://bodhi.fedoraproject.org/updates/FEDORA-20…	external
https://bodhi.fedoraproject.org/updates/FEDORA-EP…	external
https://bodhi.fedoraproject.org/updates/FEDORA-EP…	external
https://bodhi.fedoraproject.org/updates/FEDORA-EP…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Tinyproxy ist ein HTTP/HTTPS-Proxy-Daemon f\u00fcr POSIX-Betriebssysteme.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Tinyproxy ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren oder Sicherheitsma\u00dfnahmen zu umgehen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges\n- UNIX",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-0999 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0999.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-0999 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0999"
      },
      {
        "category": "external",
        "summary": "tinyproxy GitHub Issue #604 vom 2026-04-07",
        "url": "https://github.com/tinyproxy/tinyproxy/issues/604"
      },
      {
        "category": "external",
        "summary": "Red Hat Bugtracker #2455893 vom 2026-04-07",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455893"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-MH87-C4C3-CGWF vom 2026-04-07",
        "url": "https://github.com/advisories/GHSA-MH87-C4C3-CGWF"
      },
      {
        "category": "external",
        "summary": "EUVD-2026-19603 vom 2026-04-07",
        "url": "https://euvd.enisa.europa.eu/enisa/EUVD-2026-19603"
      },
      {
        "category": "external",
        "summary": "Fedora Security Advisory FEDORA-2026-1C7A717DBC vom 2026-04-09",
        "url": "https://bodhi.fedoraproject.org/updates/FEDORA-2026-1c7a717dbc"
      },
      {
        "category": "external",
        "summary": "Fedora Security Advisory FEDORA-2026-D67A979089 vom 2026-04-11",
        "url": "https://bodhi.fedoraproject.org/updates/FEDORA-2026-d67a979089"
      },
      {
        "category": "external",
        "summary": "Fedora Security Advisory FEDORA-2026-D8DAF8790F vom 2026-04-11",
        "url": "https://bodhi.fedoraproject.org/updates/FEDORA-2026-d8daf8790f"
      },
      {
        "category": "external",
        "summary": "Fedora Security Advisory FEDORA-EPEL-2026-5CBF521345 vom 2026-04-11",
        "url": "https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-5cbf521345"
      },
      {
        "category": "external",
        "summary": "Fedora Security Advisory FEDORA-EPEL-2026-27BACF0DB0 vom 2026-04-11",
        "url": "https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-27bacf0db0"
      },
      {
        "category": "external",
        "summary": "Fedora Security Advisory FEDORA-2026-9695FBDABB vom 2026-04-11",
        "url": "https://bodhi.fedoraproject.org/updates/FEDORA-2026-9695fbdabb"
      },
      {
        "category": "external",
        "summary": "Fedora Security Advisory FEDORA-EPEL-2026-6D3C9CB269 vom 2026-04-11",
        "url": "https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-6d3c9cb269"
      },
      {
        "category": "external",
        "summary": "Fedora Security Advisory FEDORA-EPEL-2026-EF0F106B2D vom 2026-04-11",
        "url": "https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-ef0f106b2d"
      },
      {
        "category": "external",
        "summary": "Fedora Security Advisory FEDORA-EPEL-2026-013A91FBA2 vom 2026-04-11",
        "url": "https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-013a91fba2"
      }
    ],
    "source_lang": "en-US",
    "title": "Tinyproxy: Schwachstelle erm\u00f6glicht Denial of Service",
    "tracking": {
      "current_release_date": "2026-04-12T22:00:00.000+00:00",
      "generator": {
        "date": "2026-04-13T10:11:13.402+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.5.0"
        }
      },
      "id": "WID-SEC-W-2026-0999",
      "initial_release_date": "2026-04-07T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-04-07T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2026-04-08T22:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von Fedora aufgenommen"
        },
        {
          "date": "2026-04-12T22:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von Fedora aufgenommen"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Fedora Linux",
            "product": {
              "name": "Fedora Linux",
              "product_id": "74185",
              "product_identification_helper": {
                "cpe": "cpe:/o:fedoraproject:fedora:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Fedora"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c=1.11.3",
                "product": {
                  "name": "Open Source Tinyproxy \u003c=1.11.3",
                  "product_id": "T052502"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c=1.11.3",
                "product": {
                  "name": "Open Source Tinyproxy \u003c=1.11.3",
                  "product_id": "T052502-fixed"
                }
              }
            ],
            "category": "product_name",
            "name": "Tinyproxy"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-31842",
      "product_status": {
        "known_affected": [
          "74185"
        ],
        "last_affected": [
          "T052502"
        ]
      },
      "release_date": "2026-04-07T22:00:00.000+00:00",
      "title": "CVE-2026-31842"
    }
  ]
}

CVE-2026-31842 (GCVE-0-2026-31842)

Vulnerability from cvelistv5 – Published: 2026-04-07 11:17 – Updated: 2026-04-07 16:30

Title

Tinyproxy HTTP request parsing desynchronization via case-sensitive Transfer-Encoding handling

Summary

Tinyproxy through 1.11.3 is vulnerable to HTTP request parsing desynchronization due to a case-sensitive comparison of the Transfer-Encoding header in src/reqs.c. The is_chunked_transfer() function uses strcmp() to compare the header value against "chunked", even though RFC 7230 specifies that transfer-coding names are case-insensitive. By sending a request with Transfer-Encoding: Chunked, an unauthenticated remote attacker can cause Tinyproxy to misinterpret the request as having no body. In this state, Tinyproxy sets content_length.client to -1, skips pull_client_data_chunked(), forwards request headers upstream, and transitions into relay_connection() raw TCP forwarding while unread body data remains buffered. This leads to inconsistent request state between Tinyproxy and backend servers. RFC-compliant backends (e.g., Node.js, Nginx) will continue waiting for chunked body data, causing connections to hang indefinitely. This behavior enables application-level denial of service through backend worker exhaustion. Additionally, in deployments where Tinyproxy is used for request-body inspection, filtering, or security enforcement, the unread body may be forwarded without proper inspection, resulting in potential security control bypass.

Severity

8.7 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

SSVC

Exploitation: poc Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Assigner

TuranSec

References

3 references

URL	Tags
https://github.com/tinyproxy/tinyproxy/issues/604	issue-trackingtechnical-descriptionthird-party-advisory
https://github.com/tinyproxy/tinyproxy	product
https://datatracker.ietf.org/doc/html/rfc7230	technical-description

Impacted products

1 product

Vendor	Product	Version
Tinyproxy Project	Tinyproxy	Affected: 0 , ≤ 1.11.3 (custom)

Credits

Muxammadiyev G'iyosiddin

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-31842",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-07T16:30:26.482367Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-07T16:30:44.774Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/tinyproxy/tinyproxy",
          "defaultStatus": "unaffected",
          "platforms": [
            "all"
          ],
          "product": "Tinyproxy",
          "vendor": "Tinyproxy Project",
          "versions": [
            {
              "lessThanOrEqual": "1.11.3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Muxammadiyev G\u0027iyosiddin"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eTinyproxy through 1.11.3 is vulnerable to HTTP request parsing desynchronization due to a case-sensitive comparison of the Transfer-Encoding header in src/reqs.c. The is_chunked_transfer() function uses strcmp() to compare the header value against \"chunked\", even though RFC 7230 specifies that transfer-coding names are case-insensitive. By sending a request with Transfer-Encoding: Chunked, an unauthenticated remote attacker can cause Tinyproxy to misinterpret the request as having no body. In this state, Tinyproxy sets content_length.client to -1, skips pull_client_data_chunked(), forwards request headers upstream, and transitions into relay_connection() raw TCP forwarding while unread body data remains buffered. This leads to inconsistent request state between Tinyproxy and backend servers. RFC-compliant backends (e.g., Node.js, Nginx) will continue waiting for chunked body data, causing connections to hang indefinitely. This behavior enables application-level denial of service through backend worker exhaustion. Additionally, in deployments where Tinyproxy is used for request-body inspection, filtering, or security enforcement, the unread body may be forwarded without proper inspection, resulting in potential security control bypass.\u003c/p\u003e"
            }
          ],
          "value": "Tinyproxy through 1.11.3 is vulnerable to HTTP request parsing desynchronization due to a case-sensitive comparison of the Transfer-Encoding header in src/reqs.c. The is_chunked_transfer() function uses strcmp() to compare the header value against \"chunked\", even though RFC 7230 specifies that transfer-coding names are case-insensitive. By sending a request with Transfer-Encoding: Chunked, an unauthenticated remote attacker can cause Tinyproxy to misinterpret the request as having no body. In this state, Tinyproxy sets content_length.client to -1, skips pull_client_data_chunked(), forwards request headers upstream, and transitions into relay_connection() raw TCP forwarding while unread body data remains buffered. This leads to inconsistent request state between Tinyproxy and backend servers. RFC-compliant backends (e.g., Node.js, Nginx) will continue waiting for chunked body data, causing connections to hang indefinitely. This behavior enables application-level denial of service through backend worker exhaustion. Additionally, in deployments where Tinyproxy is used for request-body inspection, filtering, or security enforcement, the unread body may be forwarded without proper inspection, resulting in potential security control bypass."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "An unauthenticated remote attacker can trigger HTTP request parsing desynchronization using a mixed-case Transfer-Encoding header (e.g., \u0027Chunked\u0027), leading to backend connection hangs and denial of service. In certain deployments, request-body inspection and filtering mechanisms relying on Tinyproxy may also be bypassed."
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV2_0": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "COMPLETE",
            "baseScore": 7.8,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
            "version": "2.0"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-444",
              "description": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-07T11:17:33.621Z",
        "orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
        "shortName": "TuranSec"
      },
      "references": [
        {
          "name": "Upstream issue report and reproduction details",
          "tags": [
            "issue-tracking",
            "technical-description",
            "third-party-advisory"
          ],
          "url": "https://github.com/tinyproxy/tinyproxy/issues/604"
        },
        {
          "name": "Tinyproxy upstream project",
          "tags": [
            "product"
          ],
          "url": "https://github.com/tinyproxy/tinyproxy"
        },
        {
          "name": "RFC 7230: transfer-coding names are case-insensitive",
          "tags": [
            "technical-description"
          ],
          "url": "https://datatracker.ietf.org/doc/html/rfc7230"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Tinyproxy HTTP request parsing desynchronization via case-sensitive Transfer-Encoding handling",
      "x_generator": {
        "engine": "Vulnogram 1.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
    "assignerShortName": "TuranSec",
    "cveId": "CVE-2026-31842",
    "datePublished": "2026-04-07T11:17:33.621Z",
    "dateReserved": "2026-03-09T18:20:23.398Z",
    "dateUpdated": "2026-04-07T16:30:44.774Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2026-0999

CVE-2026-31842 (GCVE-0-2026-31842)

Tags

Sightings

Nomenclature