Platform
linux
Component
tinyproxy
Fixed in
1.11.4
CVE-2026-3945 is a Denial of Service (DoS) vulnerability affecting tinyproxy versions up to and including 1.11.3. This vulnerability stems from an integer overflow in the HTTP chunked transfer encoding parser, allowing an unauthenticated remote attacker to trigger a denial of service. The vulnerability arises because chunk size values are parsed without proper overflow validation, leading to incorrect size calculations. Currently, there is no official patch available to address this vulnerability.
CVE-2026-3945 affects tinyproxy versions up to and including 1.11.3, presenting an integer overflow vulnerability in the HTTP chunked transfer encoding parser. An unauthenticated remote attacker can exploit this flaw to cause a denial-of-service (DoS). The issue arises because chunk size values are parsed using strtol() without proper validation of overflow conditions (e.g., errno == ERANGE). A crafted chunk size, such as 0x7fffffffffffffff (LONG_MAX), bypasses the existing validation check (chunklen < 0), leading to a signed integer overflow. This can result in excessive resource consumption or server crashes, disrupting service for legitimate users. The CVSS severity score is 7.8, indicating a high risk.
Exploitation of this vulnerability requires an attacker to be able to send HTTP requests to a vulnerable tinyproxy server. This typically involves the ability to interact with the server over the network. An attacker could send a series of HTTP requests with malicious chunk sizes designed to trigger the integer overflow. The difficulty of exploitation depends on network configuration and existing security measures. However, the relative simplicity of exploitation makes this vulnerability a significant concern, especially for servers exposed to the internet.
Exploit Status
EPSS
0.06% (20% percentile)
CISA SSVC
CVSS Vector
Currently, there is no fix available for CVE-2026-3945. The most effective mitigation is to upgrade to a tinyproxy version later than 1.11.3 as soon as it becomes available. In the meantime, consider implementing additional security measures, such as rate limiting incoming requests and monitoring server performance for signs of a DoS attack. A web application firewall (WAF) can also be considered to filter malicious traffic. The lack of an immediate solution makes upgrading the highest priority for protecting systems using tinyproxy.
Actualice tinyproxy a una versión posterior a la 1.11.3. Si no es posible actualizar, considere aplicar el parche bb7edc4 manualmente. Esto corrige la vulnerabilidad de desbordamiento de enteros en el análisis de la codificación de transferencia fragmentada HTTP.
Vulnerability analysis and critical alerts directly to your inbox.
It's a method for sending HTTP data in variable-sized chunks. It allows the server to begin sending data before knowing the total response size.
Integer validation is crucial to prevent overflows that can lead to unexpected behavior, such as memory corruption or malicious code execution.
Check the version of tinyproxy you are using. If it's earlier than 1.11.3, it is vulnerable. Monitor server logs for errors or unusual behavior that might indicate an exploitation attempt.
A denial-of-service (DoS) attack aims to make a service unavailable to legitimate users, typically by overwhelming the server with malicious traffic.
You can find more information on vulnerability databases such as the National Vulnerability Database (NVD) or on tinyproxy security advisories.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.