CVE-2026-31842 Vulnerability in Tinyproxy Affects HTTP Request Parsing

What Happened

Tinyproxy, a popular lightweight HTTP proxy server, is affected by a security vulnerability identified as CVE-2026-31842. This issue was discovered in all versions up to and including 1.11.3. The vulnerability arises due to improper handling of HTTP request parsing related to the Transfer-Encoding header. This flaw can be leveraged by an unauthenticated remote attacker to cause significant disruptions to systems that rely on Tinyproxy for HTTP request handling.

Discovered in 2026, the vulnerability impacts numerous environments that employ Tinyproxy for purposes including request filtering, security enforcement, or even simple HTTP request relaying. The flaw is related to the manner in which Tinyproxy interprets header values for Transfer-Encoding, specifically failing to comply with RFC 7230 specifications regarding case insensitivity.

Technical Details

The vulnerability, assigned a CVSS score of 7.5 (high), is due to a case-sensitive comparison implemented within the is_chunked_transfer() function located in the src/reqs.c file. Tinyproxy makes use of the strcmp() function to compare the Transfer-Encoding header value against "chunked." RFC 7230 dictates that transfer-coding names should be case-insensitive, allowing variations like "Chunked."

When an attacker sends a specially crafted HTTP request with the Transfer-Encoding header set to "Chunked," Tinyproxy interprets the request as lacking a body. In response, Tinyproxy sets content_length.client to -1, avoids executing pull_client_data_chunked(), and forwards request headers directly to upstream servers. This causes Tinyproxy to engage in relay_connection() raw TCP forwarding while the body data remains unread. This results in a desynchronization between Tinyproxy and backend servers that are RFC-compliant, like Node.js and Nginx, which then continually wait for the chunked data, leading to indefinite hanging and potential denial of service.

Impact

Administrators using Tinyproxy up to version 1.11.3 could face severe disruptions if exploited. Backend servers processed through Tinyproxy may experience connection exhaustion as a result of incomplete requests. This situation can lead to the inability of servers to handle further requests, significantly downgrading service availability.

For systems relying on Tinyproxy for security filtering or request inspection, there's a risk that unread request bodies could bypass security controls entirely, as they may be forwarded without proper examination. This could potentially open up avenues for attackers to exfiltrate data or insert malicious payloads without detection.

What To Do

• Upgrade to the Latest Version: Ensure Tinyproxy is updated to a version beyond 1.11.3 where this vulnerability is patched.
• Examine Server Logs: Check server logs for abnormal HTTP request behavior, especially with irregular Transfer-Encoding headers like "Chunked."
• Implement Request Filtering: Use additional layers of filtering or firewall configurations to block malformed requests at the network boundary.
• Review Backend Configurations: Ensure that backend servers like Nginx or Node.js have appropriate timeout settings to prevent indefinite hanging.
• Deploy Intrusion Detection Systems: Configure IDS/IPS to identify and alert on attempts to exploit this vulnerability.

Patch Tinyproxy to the latest release as a priority to mitigate this vulnerability. In parallel, reviewing and hardening request inspection and logging configurations will further enhance defenses against potential exploitation of similar issues in proxy environments.