Platform
linux
Component
tinyproxy
Fixed in
1.11.4
CVE-2026-31842 describes a vulnerability in Tinyproxy, a lightweight HTTP/SOCKS proxy server. This flaw stems from an improper handling of the Transfer-Encoding header, allowing attackers to potentially disrupt request processing. Versions of Tinyproxy from 0.0.0 up to and including 1.11.3 are affected. A fix is available in version 1.11.4.
The vulnerability lies in Tinyproxy's handling of the Transfer-Encoding header. Due to a case-sensitive comparison against "chunked", the proxy can be tricked into believing a request has no body when a crafted request with Transfer-Encoding: Chunked is sent. This misinterpretation can lead to denial of service or potentially allow an attacker to bypass certain security checks by manipulating how Tinyproxy processes incoming requests. While the description doesn't explicitly detail data exfiltration, the ability to manipulate request processing could open avenues for further exploitation depending on the proxy's configuration and the backend servers it connects to.
CVE-2026-31842 was publicly disclosed on April 7, 2026. As of this writing, there are no publicly available proof-of-concept exploits. The vulnerability is not currently listed on CISA KEV. The EPSS score is pending evaluation, but the potential for request manipulation suggests a medium probability of exploitation if a suitable exploit is developed.
Exploit Status
EPSS
0.06% (19% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade Tinyproxy to version 1.11.4 or later, which contains the fix for this parsing issue. If upgrading immediately is not feasible, consider implementing temporary workarounds. While a direct WAF rule is difficult to implement without deep packet inspection, you could potentially restrict the Transfer-Encoding header to known, safe values. Monitoring Tinyproxy logs for unusual request patterns, particularly those involving the Transfer-Encoding header, can also help detect potential exploitation attempts. After upgrading, confirm the fix by sending a test request with Transfer-Encoding: Chunked and verifying that Tinyproxy handles it correctly without errors.
Update Tinyproxy to version 1.11.4 or later to correct the HTTP request parsing desynchronization vulnerability. This update addresses the case-sensitive comparison of the Transfer-Encoding header, preventing attackers from causing a denial of service or bypassing security controls.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-31842 is a HIGH severity vulnerability affecting Tinyproxy versions 0.0.0 through 1.11.3. It allows attackers to manipulate request processing by exploiting improper handling of the Transfer-Encoding header.
If you are running Tinyproxy versions 0.0.0 through 1.11.3, you are potentially affected by this vulnerability. Check your version and upgrade immediately if necessary.
Upgrade Tinyproxy to version 1.11.4 or later to resolve the vulnerability. Consider temporary workarounds like restricting the Transfer-Encoding header if immediate upgrade is not possible.
As of now, there are no publicly known active exploitation campaigns targeting CVE-2026-31842, but the potential for exploitation exists.
Refer to the official Tinyproxy project website and security advisories for the latest information and updates regarding CVE-2026-31842.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.