CVE-2026-54387 tinyproxy CVE debrief

Who should care

Anyone using Tinyproxy, especially in a production environment, should be concerned about this vulnerability. This includes administrators, developers, and security teams who manage or use Tinyproxy for HTTP proxying.

Technical summary

The vulnerability occurs in Tinyproxy versions through 1.11.3. The issue arises from the proxy's inability to properly handle conflicting HTTP headers, specifically Content-Length and Transfer-Encoding: chunked. When such conflicting headers are present, Tinyproxy forwards both headers to the backend server but uses the Content-Length header to determine how many bytes of the request body to consume. This behavior can lead to desynchronization between the proxy and the backend server's parser states. An attacker can exploit this by sending crafted requests that allow for the injection of arbitrary HTTP requests to the backend server. This can be used for various malicious purposes, including cache poisoning, bypassing access controls, and hijacking requests.

Defensive priority

High

Recommended defensive actions

• Update Tinyproxy to the latest version, which includes the fix for this vulnerability.
• Review and adjust configurations to ensure proper handling of HTTP headers.
• Implement additional monitoring and logging to detect potential exploitation attempts.
• Consider using alternative HTTP proxy solutions that are not vulnerable to this issue.
• Apply network security measures to limit exposure to untrusted networks.
• Regularly review and update software dependencies to ensure they are secure and up-to-date.

Evidence notes

The information provided is based on the CVE-2026-54387 record and related sources. The vulnerability was published on June 17, 2026, and modified on June 18, 2026. The CVSS score of 9.3 indicates a critical severity level. Evidence from the CVE record and related references confirms the vulnerability's existence and impact.

Official resources