Do Son 
- Product: tinyproxy
- Vulnerabilities: 3 flaws (CVE-2026-54388, CVE-2026-54387, CVE-2026-55202)
- Highest severity: 9.3 (Critical · CVSSv4)
- Worst impact: HTTP Request Smuggling via Duplicate Content-Length Headers
- Status: No confirmed exploitation yet; patches available
- Action: Update to 364cdb67e0ea00a8e4a7037e2693e0711e816adb, ff45d3bf0e61d0f8ed97ab379d3047f04eb67521, 09312a185ae25cc486b4ff5987638a7917a48bce now
| CVE | CVSS (CVSSv4) | Type | Fixed in | Status |
|---|---|---|---|---|
| CVE-2026-54388 | 9.3 | HTTP Request Smuggling via Duplicate Content-Length Headers | 364cdb67e0ea00a8e4a7037e2693e0711e816adb | Not exploited |
| CVE-2026-54387 | 9.3 | HTTP Request Smuggling via CL/TE Desynchronization | ff45d3bf0e61d0f8ed97ab379d3047f04eb67521 | Not exploited |
| CVE-2026-55202 | 8.8 | Stathost Detection Bypass via Host Header Manipulation | 09312a185ae25cc486b4ff5987638a7917a48bce | Not exploited |
TL;DR
Three critical Tinyproxy request smuggling vulnerabilities threaten network security. These flaws allow attackers to inject arbitrary HTTP requests. Administrators must patch their systems immediately to prevent severe network compromises.
Why It Matters
Tinyproxy acts as a vital tool for small network settings. It buffers high-speed server responses for slower clients. This buffering reduces internet sluggishness significantly. However, these new flaws break that protective layer. Attackers can poison web caches and bypass strict access controls. A successful Tinyproxy request smuggling attack leads to total request hijacking. This grants unauthorized users access to internal proxy statistics. Such breaches expose internal network architectures to outside threats.
How the Attack Works
The proxy fails to parse conflicting HTTP headers correctly. CVE-2026-54388 occurs when a request contains multiple Content-Length headers. You can read the VulnCheck advisory on duplicate headers for technical details. The proxy uses the first value but forwards all headers to the backend. Similarly, CVE-2026-54387 involves conflicting Content-Length and Transfer-Encoding headers. This desynchronizes the proxy and backend parser state. The advisory on CL-TE desynchronization outlines this parser confusion. Separately, CVE-2026-55202 involves improper validation of the Host header. Attackers inject a matching Host header to bypass detection mechanisms. In a similar threat context, researchers recently highlighted an Evil-WinRM path traversal flaw, emphasizing poor input validation risks. Currently, researchers have not confirmed any active exploitation in the wild.
Affected Versions
These three vulnerabilities affect all Tinyproxy releases through version 1.11.3.
Patch or Mitigation Steps
The development team fixed these issues in recent source code commits. System administrators should update their software installations immediately. Ensure your deployment includes commits 364cdb6, 09312a1, and ff45d3b. Monitor network traffic for unusual HTTP header patterns. Restrict proxy access to trusted internal IP addresses only.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
