CVE-2023-49606

Name of the Vulnerable Software and Affected Versions Tinyproxy versions 1.10.0 through 1.11.1

Description A use-after-free vulnerability exists in the HTTP Connection Headers parsing in Tinyproxy. This vulnerability can be triggered by a specially crafted HTTP header, leading to memory corruption and potentially allowing remote code execution. An attacker can exploit this issue by making an unauthenticated HTTP request. It is estimated that over 50,000 Tinyproxy instances are exposed to this vulnerability, with nearly 52,000 internet-exposed instances at risk.

Recommendations For Tinyproxy versions 1.10.0 through 1.11.1, update to version 1.11.2 or later to fix the vulnerability. As a temporary workaround, consider restricting access to the vulnerable HTTP Connection Headers parsing function until a patch is available. Avoid using the affected Tinyproxy versions in production environments, especially those exposed to the public internet, until the issue is resolved.