CVE-2026-31842 Overview
Tinyproxy through version 1.11.3 contains an HTTP request parsing desynchronization vulnerability due to improper handling of the Transfer-Encoding header. The vulnerability stems from a case-sensitive comparison in the is_chunked_transfer() function within src/reqs.c, which uses strcmp() to compare the header value against "chunked". According to RFC 7230, transfer-coding names are case-insensitive, meaning values like "Chunked", "CHUNKED", or any mixed-case variant should be treated identically to "chunked".
An unauthenticated remote attacker can exploit this flaw by sending a request with a non-lowercase Transfer-Encoding header (e.g., Transfer-Encoding: Chunked). This causes Tinyproxy to misinterpret the request as having no body, leading to HTTP request smuggling conditions and potential denial of service.
Critical Impact
This vulnerability enables application-level denial of service through backend worker exhaustion and potential security control bypass in deployments using Tinyproxy for request-body inspection or filtering.
Affected Products
- Tinyproxy through version 1.11.3
- Deployments using Tinyproxy as a reverse proxy with RFC-compliant backends (e.g., Node.js, Nginx)
- Environments utilizing Tinyproxy for request-body inspection or security enforcement
Discovery Timeline
- 2026-04-07 - CVE CVE-2026-31842 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-31842
Vulnerability Analysis
This vulnerability is classified as CWE-444 (Inconsistent Interpretation of HTTP Requests, or "HTTP Request Smuggling"). The core issue lies in the is_chunked_transfer() function's use of case-sensitive string comparison when parsing the Transfer-Encoding header.
When Tinyproxy receives a request with Transfer-Encoding: Chunked (capital C), the strcmp() function returns a non-zero value because "Chunked" does not exactly match "chunked". As a result, Tinyproxy incorrectly determines that the request does not use chunked transfer encoding. This causes the proxy to set content_length.client to -1, skip the pull_client_data_chunked() function entirely, forward request headers upstream, and transition into relay_connection() raw TCP forwarding mode while unread body data remains buffered.
RFC-compliant backend servers such as Node.js and Nginx correctly interpret the mixed-case Transfer-Encoding header and expect chunked body data. This creates a desynchronization between the proxy and backend, where the backend continues waiting for chunked body data that Tinyproxy has already skipped processing.
Root Cause
The root cause is the use of strcmp() for case-sensitive string comparison in the is_chunked_transfer() function located in src/reqs.c. This violates RFC 7230 Section 4, which explicitly states that transfer-coding names are case-insensitive. The function should use a case-insensitive comparison function such as strcasecmp() to properly handle all valid representations of "chunked" transfer encoding.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by sending specially crafted HTTP requests to Tinyproxy with a mixed-case Transfer-Encoding header value.
The attack flow proceeds as follows: The attacker sends an HTTP request with Transfer-Encoding: Chunked (or any case variation other than lowercase) along with a chunked body. Tinyproxy's case-sensitive comparison fails to recognize the chunked encoding, treating the request as having no body. The proxy forwards only the headers to the backend while leaving body data buffered. RFC-compliant backends interpret the header correctly and wait indefinitely for the chunked body data that will never arrive, exhausting worker connections.
In security-sensitive deployments where Tinyproxy performs request-body inspection or filtering, the unprocessed body data may be forwarded without proper examination, potentially bypassing security controls.
Detection Methods for CVE-2026-31842
Indicators of Compromise
- HTTP requests containing Transfer-Encoding headers with non-lowercase "chunked" values (e.g., "Chunked", "CHUNKED", "ChUnKeD")
- Backend server logs showing connections stuck in waiting state for chunked body data
- Increased backend worker utilization without corresponding completed requests
- Proxy access logs showing requests with Transfer-Encoding headers that appear to complete without body processing
Detection Strategies
- Monitor HTTP traffic at the proxy layer for Transfer-Encoding headers using case variations of "chunked"
- Implement log correlation between Tinyproxy access logs and backend server logs to identify request desynchronization
- Deploy network-based detection rules to flag HTTP requests with mixed-case Transfer-Encoding values targeting Tinyproxy instances
- Monitor backend connection pools for abnormal growth in idle or waiting connections
Monitoring Recommendations
- Configure alerting on backend worker pool exhaustion or connection timeouts
- Implement HTTP header inspection in WAF or IDS rules to detect exploitation attempts
- Monitor Tinyproxy process memory usage for signs of buffered data accumulation
- Track ratio of proxy-forwarded requests to backend-completed requests for anomaly detection
How to Mitigate CVE-2026-31842
Immediate Actions Required
- Identify all Tinyproxy instances running version 1.11.3 or earlier in your environment
- Review network architecture to understand exposure of Tinyproxy instances to untrusted traffic
- Implement WAF rules to normalize or reject requests with non-lowercase Transfer-Encoding header values
- Consider deploying alternative proxy solutions for critical security enforcement functions until patched
Patch Information
As of the publication date, users should monitor the Tinyproxy GitHub repository for security updates. The fix should replace the strcmp() call in the is_chunked_transfer() function with a case-insensitive comparison function like strcasecmp(). Track GitHub Issue #604 for patch status and updates.
Workarounds
- Deploy a WAF or reverse proxy in front of Tinyproxy that normalizes Transfer-Encoding headers to lowercase before forwarding
- Configure network-level filtering to reject HTTP requests containing non-standard Transfer-Encoding header casing
- Limit Tinyproxy exposure by restricting access to trusted networks only until a patch is available
- For security-sensitive deployments, temporarily migrate request-body inspection functions to alternative solutions
# Example: Nginx configuration to normalize Transfer-Encoding header
# Place in front of Tinyproxy to mitigate the vulnerability
map $http_transfer_encoding $normalized_te {
~*^chunked$ "chunked";
default $http_transfer_encoding;
}
server {
listen 8888;
location / {
proxy_pass http://tinyproxy_backend;
proxy_set_header Transfer-Encoding $normalized_te;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
