CVE-2026-54387
CriticalCVSS 9.1Exploitation Probability (EPSS)
Low risk30th percentile — higher than 30% of all known CVEs
Summary
Tinyproxy versions up to 1.11.3 improperly handle conflicting Content-Length and Transfer-Encoding: chunked headers, leading to forwarding them verbatim to the backend. This can allow remote attackers to inject arbitrary HTTP requests to the backend.
Risk Assessment
Attackers can exploit this vulnerability to enable cache poisoning, access control bypass, and request hijacking, potentially leading to serious security breaches within the organization.
Recommendation
It is recommended to update Tinyproxy to a version that includes the fix (after commit ff45d3b) and to monitor logs for potential attack attempts.
Original NVD description (English source)
Tinyproxy through 1.11.3, fixed in commit ff45d3b, fails to reconcile conflicting Content-Length and Transfer-Encoding: chunked headers, forwarding both verbatim to the backend while using Content-Length to determine how many request body bytes to consume. Remote attackers can desynchronize the proxy and backend parser state, allowing injection of arbitrary HTTP requests to the backend to enable cache poisoning, access control bypass, and request hijacking.

