Tinyproxy HTTP 请求解析失同步问题，源于对 Transfer-Encoding 标头的区分大小写处理

The vulnerability lies in Tinyproxy's handling of the Transfer-Encoding header. Due to a case-sensitive comparison against "chunked", the proxy can be tricked into believing a request has no body when a crafted request with Transfer-Encoding: Chunked is sent. This misinterpretation can lead to denial of service or potentially allow an attacker to bypass certain security checks by manipulating how Tinyproxy processes incoming requests. While the description doesn't explicitly detail data exfiltration, the ability to manipulate request processing could open avenues for further exploitation depending on the proxy's configuration and the backend servers it connects to.

Systems utilizing Tinyproxy as a proxy server, particularly those handling sensitive traffic or acting as a gateway to internal resources, are at risk. Shared hosting environments where users have limited control over proxy configuration are also vulnerable.

• linux / server:

journalctl -u tinyproxy -g 'Transfer-Encoding: Chunked'

• generic web:

curl -I 'http://your-tinyproxy-server/some-resource' | grep Transfer-Encoding

1. 2026-04-07Disclosure

   disclosure

1. 已保留2026-03-09
2. 发布日期2026-04-07
3. EPSS 更新日期2026-04-14

The primary mitigation is to upgrade Tinyproxy to version 1.11.4 or later, which contains the fix for this parsing issue. If upgrading immediately is not feasible, consider implementing temporary workarounds. While a direct WAF rule is difficult to implement without deep packet inspection, you could potentially restrict the Transfer-Encoding header to known, safe values. Monitoring Tinyproxy logs for unusual request patterns, particularly those involving the Transfer-Encoding header, can also help detect potential exploitation attempts. After upgrading, confirm the fix by sending a test request with Transfer-Encoding: Chunked and verifying that Tinyproxy handles it correctly without errors.