Muxammadiyev Giyosiddin

**Name of the Vulnerable Software and Affected Versions** Tinyproxy versions 1.0 through 1.11.3 **Description** An issue exists in the way the `Transfer-Encoding` header is parsed in src/reqs.c. The `is chunked transfer()` function uses `strcmp()` to compare the header value against "chunked", failing to account for the fact that transfer-coding names are case-insensitive. An unauthenticated remote attacker can send a request with "Transfer-Encoding: Chunked", causing the software to misinterpret the request as having no body. Consequently, `content length.client` is set to -1, `pull client data chunked()` is skipped, and the system transitions into `relay connection()` raw TCP forwarding while body data remains buffered. This creates a desynchronization between the proxy and backend servers. RFC-compliant backends may wait indefinitely for chunked body data, leading to backend worker exhaustion and application-level denial of service. Furthermore, if the software is used for request-body inspection or security enforcement, the unread body may be forwarded without inspection, potentially bypassing security controls. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** tinyproxy versions up to and including 1.11.3 **Description** An integer overflow in the HTTP chunked transfer encoding parser can lead to a denial of service (DoS). The issue arises because chunk size values are parsed without proper overflow validation. A crafted chunk size, such as `0x7fffffffffffffff`, bypasses existing checks, causing a signed integer overflow during size calculations. This results in the proxy attempting to read an extremely large amount of request-body data and holding worker connections open indefinitely, potentially exhausting all available worker slots and causing service unavailability. **Recommendations** Update to a version of tinyproxy later than 1.11.3.