Source: tinyproxy Version: 1.11.3-1 Severity: important Tags: security upstream Forwarded: https://github.com/tinyproxy/tinyproxy/issues/604 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for tinyproxy. CVE-2026-31842[0]: | Tinyproxy through 1.11.3 is vulnerable to HTTP request parsing | desynchronization due to a case-sensitive comparison of the | Transfer-Encoding header in src/reqs.c. The is_chunked_transfer() | function uses strcmp() to compare the header value against | "chunked", even though RFC 7230 specifies that transfer-coding names | are case-insensitive. By sending a request with Transfer-Encoding: | Chunked, an unauthenticated remote attacker can cause Tinyproxy to | misinterpret the request as having no body. In this state, Tinyproxy | sets content_length.client to -1, skips pull_client_data_chunked(), | forwards request headers upstream, and transitions into | relay_connection() raw TCP forwarding while unread body data remains | buffered. This leads to inconsistent request state between Tinyproxy | and backend servers. RFC-compliant backends (e.g., Node.js, Nginx) | will continue waiting for chunked body data, causing connections to | hang indefinitely. This behavior enables application-level denial of | service through backend worker exhaustion. Additionally, in | deployments where Tinyproxy is used for request-body inspection, | filtering, or security enforcement, the unread body may be forwarded | without proper inspection, resulting in potential security control | bypass. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-31842 https://www.cve.org/CVERecord?id=CVE-2026-31842 [1] https://github.com/tinyproxy/tinyproxy/issues/604 [2] https://github.com/tinyproxy/tinyproxy/commit/879bf844abffa0bf5fae6aff0c73179024dd9f98 Please adjust the affected versions in the BTS as needed. Rgards, Salvatore
