CVE-2026-31842

Name of the Vulnerable Software and Affected Versions Tinyproxy versions 1.0 through 1.11.3

Description An issue exists in the way the Transfer-Encoding header is parsed in src/reqs.c. The is chunked transfer() function uses strcmp() to compare the header value against "chunked", failing to account for the fact that transfer-coding names are case-insensitive. An unauthenticated remote attacker can send a request with "Transfer-Encoding: Chunked", causing the software to misinterpret the request as having no body. Consequently, content length.client is set to -1, pull client data chunked() is skipped, and the system transitions into relay connection() raw TCP forwarding while body data remains buffered. This creates a desynchronization between the proxy and backend servers. RFC-compliant backends may wait indefinitely for chunked body data, leading to backend worker exhaustion and application-level denial of service. Furthermore, if the software is used for request-body inspection or security enforcement, the unread body may be forwarded without inspection, potentially bypassing security controls.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.