<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Desync - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/desync/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 22 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/desync/feed.xml" rel="self" type="application/rss+xml"/><item><title>Tinyproxy HTTP Request Parsing Desynchronization Vulnerability (CVE-2026-31842)</title><link>https://feed.craftedsignal.io/briefs/2024-01-tinyproxy-desync/</link><pubDate>Mon, 22 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-tinyproxy-desync/</guid><description>Tinyproxy versions 1.11.3 and earlier are vulnerable to HTTP request parsing desynchronization due to case-sensitive comparison of the Transfer-Encoding header, allowing unauthenticated remote attackers to cause denial of service or security control bypass by sending crafted requests.</description><content:encoded><![CDATA[<p>Tinyproxy, a lightweight HTTP/HTTPS proxy daemon, is susceptible to HTTP request parsing desynchronization due to an issue in how it handles the <code>Transfer-Encoding</code> header. Specifically, versions up to and including 1.11.3 perform a case-sensitive comparison of the <code>Transfer-Encoding</code> header value against &quot;chunked&quot;. This deviates from RFC 7230, which mandates case-insensitive handling of transfer-coding names. An unauthenticated remote attacker can exploit this vulnerability (CVE-2026-31842) by sending a specially crafted HTTP request with a modified <code>Transfer-Encoding</code> header (e.g., <code>Transfer-Encoding: Chunked</code>). This causes Tinyproxy to misinterpret the request, potentially leading to denial-of-service (DoS) conditions due to backend worker exhaustion or bypassing security controls when Tinyproxy is used for request inspection and filtering. The vulnerability was published on 2026-04-07 and impacts deployments where Tinyproxy is used as a forward or reverse proxy.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker sends a crafted HTTP request to the Tinyproxy server. The request includes a <code>Transfer-Encoding</code> header with a case variation of &quot;chunked&quot;, such as &quot;Chunked&quot;.</li>
<li>Tinyproxy's <code>is_chunked_transfer()</code> function in <code>src/reqs.c</code> uses <code>strcmp()</code> to compare the header value against &quot;chunked&quot;.</li>
<li>Due to the case-sensitive comparison, the header value does not match &quot;chunked&quot;, and Tinyproxy misinterprets the request as not using chunked transfer encoding.</li>
<li>Tinyproxy sets <code>content_length.client</code> to -1 and skips the <code>pull_client_data_chunked()</code> function.</li>
<li>Tinyproxy forwards the request headers upstream to the backend server.</li>
<li>Tinyproxy transitions into <code>relay_connection()</code>, initiating raw TCP forwarding of data. However, unread body data remains buffered on the Tinyproxy server.</li>
<li>The backend server, expecting a chunked request body, waits indefinitely for the remaining data, leading to a hung connection.</li>
<li>Repeated exploitation exhausts backend server resources, resulting in application-level denial of service. In scenarios involving request inspection, uninspected data is forwarded, bypassing security controls.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-31842 can lead to application-level denial of service due to backend worker exhaustion. RFC-compliant backend servers, such as Node.js or Nginx, will indefinitely wait for chunked body data, consuming resources. In deployments where Tinyproxy is used for security enforcement (request body inspection, filtering), the vulnerability allows attackers to bypass these controls by sending uninspected data to the backend server. The specific number of affected installations is unknown, but all deployments of Tinyproxy versions 1.11.3 and earlier are vulnerable.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade Tinyproxy to a patched version that addresses the case-sensitive comparison of the <code>Transfer-Encoding</code> header (check the vendor website for the latest version).</li>
<li>Deploy the Sigma rule &quot;Detect Case-Variant Transfer-Encoding Header&quot; to detect exploitation attempts in real-time by monitoring web server logs for requests with malformed <code>Transfer-Encoding</code> headers.</li>
<li>Monitor Tinyproxy's logs for unusual connection patterns or error messages that may indicate exploitation attempts.</li>
<li>Implement web application firewall (WAF) rules to normalize or reject requests with non-standard <code>Transfer-Encoding</code> headers, mitigating the vulnerability at the perimeter.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>tinyproxy</category><category>http</category><category>desync</category><category>denial-of-service</category><category>CVE-2026-31842</category><category>linux</category></item></channel></rss>