प्लेटफ़ॉर्म
linux
घटक
tinyproxy
में ठीक किया गया
1.11.4
CVE-2026-31842 describes a vulnerability in Tinyproxy, a lightweight HTTP/SOCKS proxy server. This flaw stems from an improper handling of the Transfer-Encoding header, allowing attackers to potentially disrupt request processing. Versions of Tinyproxy from 0.0.0 up to and including 1.11.3 are affected. A fix is available in version 1.11.4.
The vulnerability lies in Tinyproxy's handling of the Transfer-Encoding header. Due to a case-sensitive comparison against "chunked", the proxy can be tricked into believing a request has no body when a crafted request with Transfer-Encoding: Chunked is sent. This misinterpretation can lead to denial of service or potentially allow an attacker to bypass certain security checks by manipulating how Tinyproxy processes incoming requests. While the description doesn't explicitly detail data exfiltration, the ability to manipulate request processing could open avenues for further exploitation depending on the proxy's configuration and the backend servers it connects to.
CVE-2026-31842 was publicly disclosed on April 7, 2026. As of this writing, there are no publicly available proof-of-concept exploits. The vulnerability is not currently listed on CISA KEV. The EPSS score is pending evaluation, but the potential for request manipulation suggests a medium probability of exploitation if a suitable exploit is developed.
Systems utilizing Tinyproxy as a proxy server, particularly those handling sensitive traffic or acting as a gateway to internal resources, are at risk. Shared hosting environments where users have limited control over proxy configuration are also vulnerable.
• linux / server:
journalctl -u tinyproxy -g 'Transfer-Encoding: Chunked'• generic web:
curl -I 'http://your-tinyproxy-server/some-resource' | grep Transfer-Encodingdisclosure
एक्सप्लॉइट स्थिति
EPSS
0.06% (19% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation is to upgrade Tinyproxy to version 1.11.4 or later, which contains the fix for this parsing issue. If upgrading immediately is not feasible, consider implementing temporary workarounds. While a direct WAF rule is difficult to implement without deep packet inspection, you could potentially restrict the Transfer-Encoding header to known, safe values. Monitoring Tinyproxy logs for unusual request patterns, particularly those involving the Transfer-Encoding header, can also help detect potential exploitation attempts. After upgrading, confirm the fix by sending a test request with Transfer-Encoding: Chunked and verifying that Tinyproxy handles it correctly without errors.
Actualice Tinyproxy a la versión 1.11.4 o posterior para corregir la vulnerabilidad de desincronización del análisis de solicitudes HTTP. Esta actualización aborda la comparación sensible a mayúsculas y minúsculas del encabezado Transfer-Encoding, evitando que los atacantes provoquen una denegación de servicio o eludir los controles de seguridad.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-31842 is a HIGH severity vulnerability affecting Tinyproxy versions 0.0.0 through 1.11.3. It allows attackers to manipulate request processing by exploiting improper handling of the Transfer-Encoding header.
If you are running Tinyproxy versions 0.0.0 through 1.11.3, you are potentially affected by this vulnerability. Check your version and upgrade immediately if necessary.
Upgrade Tinyproxy to version 1.11.4 or later to resolve the vulnerability. Consider temporary workarounds like restricting the Transfer-Encoding header if immediate upgrade is not possible.
As of now, there are no publicly known active exploitation campaigns targeting CVE-2026-31842, but the potential for exploitation exists.
Refer to the official Tinyproxy project website and security advisories for the latest information and updates regarding CVE-2026-31842.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।