{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-31842/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-31842"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Tinyproxy"],"_cs_severities":["high"],"_cs_tags":["tinyproxy","http","desync","denial-of-service","CVE-2026-31842","linux"],"_cs_type":"advisory","_cs_vendors":["Tinyproxy"],"content_html":"\u003cp\u003eTinyproxy, a lightweight HTTP/HTTPS proxy daemon, is susceptible to HTTP request parsing desynchronization due to an issue in how it handles the \u003ccode\u003eTransfer-Encoding\u003c/code\u003e header. Specifically, versions up to and including 1.11.3 perform a case-sensitive comparison of the \u003ccode\u003eTransfer-Encoding\u003c/code\u003e header value against \u0026quot;chunked\u0026quot;. This deviates from RFC 7230, which mandates case-insensitive handling of transfer-coding names. An unauthenticated remote attacker can exploit this vulnerability (CVE-2026-31842) by sending a specially crafted HTTP request with a modified \u003ccode\u003eTransfer-Encoding\u003c/code\u003e header (e.g., \u003ccode\u003eTransfer-Encoding: Chunked\u003c/code\u003e). This causes Tinyproxy to misinterpret the request, potentially leading to denial-of-service (DoS) conditions due to backend worker exhaustion or bypassing security controls when Tinyproxy is used for request inspection and filtering. The vulnerability was published on 2026-04-07 and impacts deployments where Tinyproxy is used as a forward or reverse proxy.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP request to the Tinyproxy server. The request includes a \u003ccode\u003eTransfer-Encoding\u003c/code\u003e header with a case variation of \u0026quot;chunked\u0026quot;, such as \u0026quot;Chunked\u0026quot;.\u003c/li\u003e\n\u003cli\u003eTinyproxy's \u003ccode\u003eis_chunked_transfer()\u003c/code\u003e function in \u003ccode\u003esrc/reqs.c\u003c/code\u003e uses \u003ccode\u003estrcmp()\u003c/code\u003e to compare the header value against \u0026quot;chunked\u0026quot;.\u003c/li\u003e\n\u003cli\u003eDue to the case-sensitive comparison, the header value does not match \u0026quot;chunked\u0026quot;, and Tinyproxy misinterprets the request as not using chunked transfer encoding.\u003c/li\u003e\n\u003cli\u003eTinyproxy sets \u003ccode\u003econtent_length.client\u003c/code\u003e to -1 and skips the \u003ccode\u003epull_client_data_chunked()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eTinyproxy forwards the request headers upstream to the backend server.\u003c/li\u003e\n\u003cli\u003eTinyproxy transitions into \u003ccode\u003erelay_connection()\u003c/code\u003e, initiating raw TCP forwarding of data. However, unread body data remains buffered on the Tinyproxy server.\u003c/li\u003e\n\u003cli\u003eThe backend server, expecting a chunked request body, waits indefinitely for the remaining data, leading to a hung connection.\u003c/li\u003e\n\u003cli\u003eRepeated exploitation exhausts backend server resources, resulting in application-level denial of service. In scenarios involving request inspection, uninspected data is forwarded, bypassing security controls.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-31842 can lead to application-level denial of service due to backend worker exhaustion. RFC-compliant backend servers, such as Node.js or Nginx, will indefinitely wait for chunked body data, consuming resources. In deployments where Tinyproxy is used for security enforcement (request body inspection, filtering), the vulnerability allows attackers to bypass these controls by sending uninspected data to the backend server. The specific number of affected installations is unknown, but all deployments of Tinyproxy versions 1.11.3 and earlier are vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Tinyproxy to a patched version that addresses the case-sensitive comparison of the \u003ccode\u003eTransfer-Encoding\u003c/code\u003e header (check the vendor website for the latest version).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Case-Variant Transfer-Encoding Header\u0026quot; to detect exploitation attempts in real-time by monitoring web server logs for requests with malformed \u003ccode\u003eTransfer-Encoding\u003c/code\u003e headers.\u003c/li\u003e\n\u003cli\u003eMonitor Tinyproxy's logs for unusual connection patterns or error messages that may indicate exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement web application firewall (WAF) rules to normalize or reject requests with non-standard \u003ccode\u003eTransfer-Encoding\u003c/code\u003e headers, mitigating the vulnerability at the perimeter.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-22T12:00:00Z","date_published":"2024-01-22T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-tinyproxy-desync/","summary":"Tinyproxy versions 1.11.3 and earlier are vulnerable to HTTP request parsing desynchronization due to case-sensitive comparison of the Transfer-Encoding header, allowing unauthenticated remote attackers to cause denial of service or security control bypass by sending crafted requests.","title":"Tinyproxy HTTP Request Parsing Desynchronization Vulnerability (CVE-2026-31842)","url":"https://feed.craftedsignal.io/briefs/2024-01-tinyproxy-desync/"}],"language":"en","title":"CraftedSignal Threat Feed - CVE-2026-31842","version":"https://jsonfeed.org/version/1.1"}