CVE-2026-54387
published 2026-06-17CVE-2026-54387: Tinyproxy through 1.11.3, fixed in commit ff45d3b, fails to reconcile conflicting Content-Length and Transfer-Encoding: chunked headers, forwarding both…
PriorityP259critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.44%
35.1th percentile
Tinyproxy through 1.11.3, fixed in commit ff45d3b, fails to reconcile conflicting Content-Length and Transfer-Encoding: chunked headers, forwarding both verbatim to the backend while using Content-Length to determine how many request body bytes to consume. Remote attackers can desynchronize the proxy and backend parser state, allowing injection of arbitrary HTTP requests to the backend to enable cache poisoning, access control bypass, and request hijacking.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tinyproxy | tinyproxy | <= 1.11.3 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect HTTP requests forwarded by Tinyproxy that contain BOTH a Content-Length header AND a Transfer-Encoding: chunked header simultaneously — this is the CL/TE desynchronization vector used to smuggle requests to the backend. ↗
- →Monitor backend servers sitting behind Tinyproxy (≤ 1.11.3) for unexpected or out-of-order HTTP requests that were not initiated by a known client — these may indicate injected requests resulting from proxy/backend parser desynchronization. ↗
- →Flag Tinyproxy instances running version 1.11.3 or earlier (prior to fix commit ff45d3b) as vulnerable to HTTP Request Smuggling (CL/TE desynchronization). ↗
- ·The vulnerability is fixed in Tinyproxy commit ff45d3b. Deployments must be patched to this commit or later to remediate the CL/TE smuggling issue; version number alone (1.11.3) is insufficient to confirm a patched state. ↗
- ·Tinyproxy uses Content-Length (not Transfer-Encoding) to determine how many request body bytes to consume, meaning the chunked body is forwarded verbatim to the backend — backend parsers that honour Transfer-Encoding: chunked will interpret smuggled data as a new request. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
cvelistv5v4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Tinyproxy through 1.11.3, fixed in commit ff45d3b, fails to reconcile conflicting Content-Length and Transfer-Encoding: chunked headers, forwarding both verbatim to the backend while using Content-Len
ghsa_unreviewed·2026-06-17
CVE-2026-54387 [CRITICAL] CWE-444 Tinyproxy through 1.11.3, fixed in commit ff45d3b, fails to reconcile conflicting Content-Length and Transfer-Encoding: chunked headers, forwarding both verbatim to the backend while using Content-Len
Tinyproxy through 1.11.3, fixed in commit ff45d3b, fails to reconcile conflicting Content-Length and Transfer-Encoding: chunked headers, forwarding both verbatim to the backend while using Content-Length to determine how many request body bytes to consume. Remote attackers can desynchronize the proxy and backend parser state, allowing injection of arbitrary HTTP requests to the backend to enable cache poisoning, access control bypass, and request hijacking.
CVEList
Tinyproxy - HTTP Request Smuggling via CL/TE Desynchronization
cvelistv5·2026-06-17·CVSS 9.3
CVE-2026-54387 [CRITICAL] CWE-444 Tinyproxy - HTTP Request Smuggling via CL/TE Desynchronization
Tinyproxy - HTTP Request Smuggling via CL/TE Desynchronization
Tinyproxy through 1.11.3, fixed in commit ff45d3b, fails to reconcile conflicting Content-Length and Transfer-Encoding: chunked headers, forwarding both verbatim to the backend while using Content-Length to determine how many request body bytes to consume. Remote attackers can desynchronize the proxy and backend parser state, allowing injection of arbitrary HTTP requests to the backend to enable cache poisoning, access control bypass, and request hijacking.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-54387 tinyproxy: HTTP Request Smuggling via CL/TE desynchronization [epel-all]
bugzilla·2026-06-18
CVE-2026-54387 [CRITICAL] CVE-2026-54387 tinyproxy: HTTP Request Smuggling via CL/TE desynchronization [epel-all]
CVE-2026-54387 tinyproxy: HTTP Request Smuggling via CL/TE desynchronization [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-EPEL-2026-e8f116233b (tinyproxy-1.11.2-8.el9) has been submitted as an update to Fedora EPEL 9.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-e8f116233b
---
FEDORA-EPEL-2026-8718e36cc0 (tinyproxy-1.11.2-8.el10_3) has been submitted as an update to Fedora EPEL 10.3.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-8718e36cc0
---
FEDORA-EPEL-2026-00b57a4454 (tinyproxy-1.11.2-8.el8) has been submitted as an update to Fedora EPEL 8.
https://bo
Bugzilla
CVE-2026-54387 tinyproxy: HTTP Request Smuggling via CL/TE desynchronization [fedora-all]
bugzilla·2026-06-18
CVE-2026-54387 [CRITICAL] CVE-2026-54387 tinyproxy: HTTP Request Smuggling via CL/TE desynchronization [fedora-all]
CVE-2026-54387 tinyproxy: HTTP Request Smuggling via CL/TE desynchronization [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-2026-efbe094630 (tinyproxy-1.11.2-8.fc44) has been submitted as an update to Fedora 44.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-efbe094630
---
FEDORA-2026-77f1ca9c8f (tinyproxy-1.11.2-8.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-77f1ca9c8f
---
FEDORA-2026-77f1ca9c8f has been pushed to the Fedora 43 testing repository.
Soon you'll be able to install the update with the following comman
Bugzilla
CVE-2026-54387 tinyproxy: HTTP Request Smuggling via CL/TE desynchronization
bugzilla·2026-06-17
CVE-2026-54387 [CRITICAL] CVE-2026-54387 tinyproxy: HTTP Request Smuggling via CL/TE desynchronization
CVE-2026-54387 tinyproxy: HTTP Request Smuggling via CL/TE desynchronization
Tinyproxy through 1.11.3, fixed in commit ff45d3b, fails to reconcile conflicting Content-Length and Transfer-Encoding: chunked headers, forwarding both verbatim to the backend while using Content-Length to determine how many request body bytes to consume. Remote attackers can desynchronize the proxy and backend parser state, allowing injection of arbitrary HTTP requests to the backend to enable cache poisoning, access control bypass, and request hijacking.
2026-06-17
Published