cbcvebase.
CVE-2026-54387
published 2026-06-17

CVE-2026-54387: Tinyproxy through 1.11.3, fixed in commit ff45d3b, fails to reconcile conflicting Content-Length and Transfer-Encoding: chunked headers, forwarding both…

PriorityP259critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.44%
35.1th percentile
Tinyproxy through 1.11.3, fixed in commit ff45d3b, fails to reconcile conflicting Content-Length and Transfer-Encoding: chunked headers, forwarding both verbatim to the backend while using Content-Length to determine how many request body bytes to consume. Remote attackers can desynchronize the proxy and backend parser state, allowing injection of arbitrary HTTP requests to the backend to enable cache poisoning, access control bypass, and request hijacking.

Affected

1 ranges
VendorProductVersion rangeFixed in
tinyproxytinyproxy<= 1.11.3

Detection & IOCsextracted from sources · hover to see the quote

  • Detect HTTP requests forwarded by Tinyproxy that contain BOTH a Content-Length header AND a Transfer-Encoding: chunked header simultaneously — this is the CL/TE desynchronization vector used to smuggle requests to the backend.
  • Monitor backend servers sitting behind Tinyproxy (≤ 1.11.3) for unexpected or out-of-order HTTP requests that were not initiated by a known client — these may indicate injected requests resulting from proxy/backend parser desynchronization.
  • Flag Tinyproxy instances running version 1.11.3 or earlier (prior to fix commit ff45d3b) as vulnerable to HTTP Request Smuggling (CL/TE desynchronization).
  • ·The vulnerability is fixed in Tinyproxy commit ff45d3b. Deployments must be patched to this commit or later to remediate the CL/TE smuggling issue; version number alone (1.11.3) is insufficient to confirm a patched state.
  • ·Tinyproxy uses Content-Length (not Transfer-Encoding) to determine how many request body bytes to consume, meaning the chunked body is forwarded verbatim to the backend — backend parsers that honour Transfer-Encoding: chunked will interpret smuggled data as a new request.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
cvelistv5v4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.