CVE-2026-54388 tinyproxy CVE debrief

Who should care

System administrators and security teams responsible for Tinyproxy installations should be aware of this critical vulnerability. Additionally, developers and DevOps teams using Tinyproxy in their infrastructure should prioritize patching to prevent potential attacks.

Technical summary

Tinyproxy through version 1.11.3 fails to reject requests containing multiple Content-Length headers with differing values. Instead, it forwards all duplicate headers to the backend while using the first value to determine how many request body bytes to consume. This behavior allows remote attackers to desynchronize the proxy and backend parser state, enabling injection of arbitrary HTTP requests to the backend. The vulnerability has a CVSS score of 9.3 and is classified as CRITICAL.

Defensive priority

High

Recommended defensive actions

• Update Tinyproxy to the latest version or apply the fix from commit 364cdb6.
• Review and restrict incoming requests to prevent multiple Content-Length headers.
• Implement additional monitoring to detect potential exploitation attempts.
• Consider using alternative HTTP proxy solutions with built-in protection against such attacks.
• Regularly review and update Tinyproxy configurations to ensure secure operation.
• Isolate critical systems and services to limit the attack surface.

Evidence notes

The information provided is based on data from the National Vulnerability Database (NVD) and Vulncheck. The CVE record and NVD detail pages provide official information about the vulnerability. Additional sources include GitHub commits, issues, and pull requests related to the Tinyproxy project.

Official resources