CVE-2026-54388
published 2026-06-17CVE-2026-54388: Tinyproxy through 1.11.3, fixed in commit 364cdb6, fails to reject requests containing multiple Content-Length headers with differing values, forwarding all…
PriorityP260critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.44%
35.1th percentile
Tinyproxy through 1.11.3, fixed in commit 364cdb6, fails to reject requests containing multiple Content-Length headers with differing values, forwarding all duplicate headers to the backend while using the first value to determine how many request body bytes to consume. Remote attackers can desynchronize the proxy and backend parser state, allowing injection of arbitrary HTTP requests to the backend to enable cache poisoning, access control bypass, and request hijacking.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tinyproxy | tinyproxy | <= 1.11.3 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect HTTP requests forwarded through Tinyproxy (≤1.11.3) that contain multiple Content-Length headers with differing values — the classic CL.CL HTTP Request Smuggling pattern used to desynchronize proxy and backend parser state. ↗
- →Monitor for signs of HTTP Request Smuggling attack outcomes behind Tinyproxy: unexpected cache poisoning events, access control bypass anomalies, or request hijacking indicators on backend servers. ↗
- ·Tinyproxy versions through 1.11.3 are vulnerable; the fix was introduced in commit 364cdb6. Verify the deployed version and patch status before concluding exposure. ↗
- ·Fedora and EPEL package updates (tinyproxy-1.11.2-8) have been submitted/pushed to testing repositories for Fedora 43, 44, EPEL 8, 9, 10.2, and 10.3 — confirm stable promotion before treating patched. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
cvelistv5v4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Tinyproxy through 1.11.3, fixed in commit 364cdb6, fails to reject requests containing multiple Content-Length headers with differing values, forwarding all duplicate headers to the backend while usin
ghsa_unreviewed·2026-06-17
CVE-2026-54388 [CRITICAL] CWE-444 Tinyproxy through 1.11.3, fixed in commit 364cdb6, fails to reject requests containing multiple Content-Length headers with differing values, forwarding all duplicate headers to the backend while usin
Tinyproxy through 1.11.3, fixed in commit 364cdb6, fails to reject requests containing multiple Content-Length headers with differing values, forwarding all duplicate headers to the backend while using the first value to determine how many request body bytes to consume. Remote attackers can desynchronize the proxy and backend parser state, allowing injection of arbitrary HTTP requests to the backend to enable cache poisoning, access control bypass, and request hijacking.
CVEList
Tinyproxy - HTTP Request Smuggling via Duplicate Content-Length Headers
cvelistv5·2026-06-17·CVSS 9.3
CVE-2026-54388 [CRITICAL] CWE-444 Tinyproxy - HTTP Request Smuggling via Duplicate Content-Length Headers
Tinyproxy - HTTP Request Smuggling via Duplicate Content-Length Headers
Tinyproxy through 1.11.3, fixed in commit 364cdb6, fails to reject requests containing multiple Content-Length headers with differing values, forwarding all duplicate headers to the backend while using the first value to determine how many request body bytes to consume. Remote attackers can desynchronize the proxy and backend parser state, allowing injection of arbitrary HTTP requests to the backend to enable cache poisoning, access control bypass, and request hijacking.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-54388 tinyproxy: HTTP Request Smuggling via duplicate Content-Length headers [epel-all]
bugzilla·2026-06-18
CVE-2026-54388 [CRITICAL] CVE-2026-54388 tinyproxy: HTTP Request Smuggling via duplicate Content-Length headers [epel-all]
CVE-2026-54388 tinyproxy: HTTP Request Smuggling via duplicate Content-Length headers [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-EPEL-2026-7a8fdd2831 (tinyproxy-1.11.2-8.el10_2) has been submitted as an update to Fedora EPEL 10.2.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-7a8fdd2831
---
FEDORA-EPEL-2026-e8f116233b (tinyproxy-1.11.2-8.el9) has been submitted as an update to Fedora EPEL 9.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-e8f116233b
---
FEDORA-EPEL-2026-8718e36cc0 (tinyproxy-1.11.2-8.el10_3) has been submitted as an update to Fedora EPEL 1
Bugzilla
CVE-2026-54388 tinyproxy: HTTP Request Smuggling via duplicate Content-Length headers [fedora-all]
bugzilla·2026-06-18
CVE-2026-54388 [CRITICAL] CVE-2026-54388 tinyproxy: HTTP Request Smuggling via duplicate Content-Length headers [fedora-all]
CVE-2026-54388 tinyproxy: HTTP Request Smuggling via duplicate Content-Length headers [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-2026-efbe094630 (tinyproxy-1.11.2-8.fc44) has been submitted as an update to Fedora 44.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-efbe094630
---
FEDORA-2026-77f1ca9c8f (tinyproxy-1.11.2-8.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-77f1ca9c8f
---
FEDORA-2026-77f1ca9c8f has been pushed to the Fedora 43 testing repository.
Soon you'll be able to install the update with the followi
Bugzilla
CVE-2026-54388 tinyproxy: HTTP Request Smuggling via duplicate Content-Length headers
bugzilla·2026-06-17
CVE-2026-54388 [CRITICAL] CVE-2026-54388 tinyproxy: HTTP Request Smuggling via duplicate Content-Length headers
CVE-2026-54388 tinyproxy: HTTP Request Smuggling via duplicate Content-Length headers
Tinyproxy through 1.11.3, fixed in commit 364cdb6, fails to reject requests containing multiple Content-Length headers with differing values, forwarding all duplicate headers to the backend while using the first value to determine how many request body bytes to consume. Remote attackers can desynchronize the proxy and backend parser state, allowing injection of arbitrary HTTP requests to the backend to enable cache poisoning, access control bypass, and request hijacking.
Bugzilla
CVE-2025-54388 golang-github-docker: Moby's Firewalld reload makes container ports accessible [fedora-42]
bugzilla·2025-07-30·CVSS 5.1
CVE-2025-54388 [MEDIUM] CVE-2025-54388 golang-github-docker: Moby's Firewalld reload makes container ports accessible [fedora-42]
CVE-2025-54388 golang-github-docker: Moby's Firewalld reload makes container ports accessible [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy
https://github.com/tinyproxy/tinyproxy/commit/364cdb67e0ea00a8e4a7037e2693e0711e816adbhttps://github.com/tinyproxy/tinyproxy/issues/609https://github.com/tinyproxy/tinyproxy/pull/610https://www.vulncheck.com/advisories/tinyproxy-http-request-smuggling-via-duplicate-content-length-headershttps://github.com/tinyproxy/tinyproxy/issues/609
2026-06-17
Published