Tinyproxy — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/tinyproxy/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioMon, 30 Mar 2026 08:16:17 +0000Tinyproxy HTTP Chunked Encoding Integer Overflow Denial of Servicehttps://feed.craftedsignal.io/briefs/2026-03-tinyproxy-dos/Mon, 30 Mar 2026 08:16:17 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-tinyproxy-dos/An integer overflow vulnerability in Tinyproxy's HTTP chunked transfer encoding parser (versions <= 1.11.3) allows an unauthenticated remote attacker to cause a denial of service by sending a crafted chunk size that bypasses validation, leading to resource exhaustion.Tinyproxy, a lightweight HTTP/HTTPS proxy daemon, is vulnerable to an integer overflow in its chunked transfer encoding parser. This vulnerability, identified as CVE-2026-3945, affects versions up to and including 1.11.3. A remote, unauthenticated attacker can exploit this flaw by sending a specially crafted HTTP request containing an invalid chunk size value, such as 0x7fffffffffffffff. The strtol() function is used to parse chunk sizes but fails to properly validate overflow conditions, specifically the ERANGE error. This bypasses a check designed to prevent negative chunk lengths (chunklen < 0). The subsequent signed integer overflow during arithmetic operations leads to the proxy attempting to read an excessively large amount of data, exhausting resources and preventing new connections, effectively causing a denial-of-service condition. Although the upstream has addressed the issue in commit bb7edc4, the latest stable release (1.11.3) remains vulnerable.

Attack Chain

  1. The attacker sends an HTTP request to the Tinyproxy server.
  2. The HTTP request uses chunked transfer encoding.
  3. The attacker includes a crafted chunk size value, such as 0x7fffffffffffffff (LONG_MAX), within the request headers.
  4. The Tinyproxy server parses the chunk size using strtol().
  5. The strtol() function does not adequately validate the integer overflow (errno == ERANGE).
  6. The crafted chunk size bypasses the initial validation check (chunklen < 0).
  7. A signed integer overflow occurs during arithmetic operations (chunklen + 2).
  8. The proxy attempts to read an extremely large amount of request-body data, exhausting available worker slots and preventing new connections, causing a denial of service (DoS).

Impact

Successful exploitation of CVE-2026-3945 leads to a denial-of-service condition. The vulnerable Tinyproxy instance becomes unresponsive as it exhausts its available worker slots. This prevents legitimate users from accessing services proxied by the affected server. The impact is significant as it can completely disrupt services reliant on the proxy, affecting all users until the service is manually restarted or patched. The severity is high due to the ease of exploitation (unauthenticated remote attacker) and the potential for widespread service disruption.

Recommendation

  • Upgrade Tinyproxy to a version patched against CVE-2026-3945 (commit bb7edc4 or later). If an upgrade is not immediately feasible, consider implementing a web application firewall (WAF) rule to filter requests with excessively large chunk sizes to mitigate the vulnerability.
  • Deploy the Sigma rule Detect Suspiciously Large HTTP Chunk Size to identify requests with abnormally large chunk sizes within HTTP traffic, indicating potential exploitation attempts of CVE-2026-3945.
  • Monitor web server logs for HTTP requests with chunk sizes exceeding a reasonable threshold. Analyze the request patterns to identify potential malicious actors attempting to exploit this vulnerability using the webserver log source.
]]>highadvisorytinyproxydenial-of-serviceinteger-overflowcve-2026-3945