CVE-2026-31842: CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in Tinyproxy Project Tinyproxy
Tinyproxy versions through 1. 11. 3 have a vulnerability in HTTP request parsing due to case-sensitive comparison of the Transfer-Encoding header. This causes Tinyproxy to misinterpret requests with 'Transfer-Encoding: Chunked' as having no body, leading to inconsistent request states between Tinyproxy and backend servers. As a result, backend servers compliant with RFC 7230 may hang indefinitely waiting for chunked body data, causing application-level denial of service through backend worker exhaustion. Additionally, in setups where Tinyproxy inspects or filters request bodies, this flaw can allow bypass of security controls by forwarding unread body data without inspection.
AI Analysis
Technical Summary
CVE-2026-31842 affects Tinyproxy through version 1.11.3 and arises from the is_chunked_transfer() function using a case-sensitive strcmp() to compare the Transfer-Encoding header value against "chunked". RFC 7230 mandates that transfer-coding names are case-insensitive, so a header value of "Chunked" is not recognized properly. This leads Tinyproxy to treat the request as having no body, setting content_length.client to -1, skipping chunked data processing, and forwarding headers upstream while buffered body data remains unread. Backend servers that follow RFC 7230 continue waiting for the chunked body, causing connections to hang and backend worker exhaustion, resulting in denial of service. In configurations where Tinyproxy performs request-body inspection or filtering, the unread body may be forwarded without inspection, potentially bypassing security controls.
Potential Impact
An unauthenticated remote attacker can cause denial of service by exploiting the inconsistent HTTP request parsing, leading to backend server worker exhaustion due to hanging connections. Additionally, security controls relying on Tinyproxy's request-body inspection can be bypassed, allowing potentially malicious data to reach backend servers uninspected.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should be aware of the risk of denial of service and potential security bypass in Tinyproxy deployments. Consider implementing compensating controls such as limiting connection timeouts on backend servers or using alternative proxies that correctly handle Transfer-Encoding headers.
CVE-2026-31842: CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in Tinyproxy Project Tinyproxy
Description
Tinyproxy versions through 1. 11. 3 have a vulnerability in HTTP request parsing due to case-sensitive comparison of the Transfer-Encoding header. This causes Tinyproxy to misinterpret requests with 'Transfer-Encoding: Chunked' as having no body, leading to inconsistent request states between Tinyproxy and backend servers. As a result, backend servers compliant with RFC 7230 may hang indefinitely waiting for chunked body data, causing application-level denial of service through backend worker exhaustion. Additionally, in setups where Tinyproxy inspects or filters request bodies, this flaw can allow bypass of security controls by forwarding unread body data without inspection.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-31842 affects Tinyproxy through version 1.11.3 and arises from the is_chunked_transfer() function using a case-sensitive strcmp() to compare the Transfer-Encoding header value against "chunked". RFC 7230 mandates that transfer-coding names are case-insensitive, so a header value of "Chunked" is not recognized properly. This leads Tinyproxy to treat the request as having no body, setting content_length.client to -1, skipping chunked data processing, and forwarding headers upstream while buffered body data remains unread. Backend servers that follow RFC 7230 continue waiting for the chunked body, causing connections to hang and backend worker exhaustion, resulting in denial of service. In configurations where Tinyproxy performs request-body inspection or filtering, the unread body may be forwarded without inspection, potentially bypassing security controls.
Potential Impact
An unauthenticated remote attacker can cause denial of service by exploiting the inconsistent HTTP request parsing, leading to backend server worker exhaustion due to hanging connections. Additionally, security controls relying on Tinyproxy's request-body inspection can be bypassed, allowing potentially malicious data to reach backend servers uninspected.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should be aware of the risk of denial of service and potential security bypass in Tinyproxy deployments. Consider implementing compensating controls such as limiting connection timeouts on backend servers or using alternative proxies that correctly handle Transfer-Encoding headers.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- TuranSec
- Date Reserved
- 2026-03-09T18:20:23.398Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d4ee89aaed68159a15cf1a
Added to database: 4/7/2026, 11:46:17 AM
Last enriched: 4/7/2026, 12:01:09 PM
Last updated: 4/7/2026, 1:25:03 PM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.