CVE-2026-31842
Published: 07 April 2026
Summary
CVE-2026-31842 is a high-severity HTTP Request/Response Smuggling (CWE-444) vulnerability. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 45.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-31842 is a vulnerability in Tinyproxy through version 1.11.3 that enables HTTP request parsing desynchronization due to a case-sensitive comparison of the Transfer-Encoding header in src/reqs.c. The is_chunked_transfer() function employs strcmp() to match the header value against "chunked", disregarding RFC 7230's requirement for case-insensitive transfer-coding names. This flaw carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-444 (Inconsistent Interpretation of HTTP Requests).
An unauthenticated remote attacker can exploit this by crafting a request with "Transfer-Encoding: Chunked", prompting Tinyproxy to treat it as having no body. It then sets content_length.client to -1, bypasses pull_client_data_chunked(), forwards only the request headers upstream, and shifts to relay_connection() for raw TCP forwarding, leaving unread body data buffered. This desynchronizes Tinyproxy from RFC-compliant backends like Node.js or Nginx, which await the chunked body and hang indefinitely, enabling application-level denial-of-service through backend worker exhaustion. In configurations relying on Tinyproxy for request-body inspection, filtering, or security enforcement, the unprocessed body may bypass these controls.
The vulnerability is documented in the Tinyproxy GitHub repository at https://github.com/tinyproxy/tinyproxy and specifically tracked in issue #604 at https://github.com/tinyproxy/tinyproxy/issues/604. RFC 7230, available at https://datatracker.ietf.org/doc/html/rfc7230, outlines the case-insensitive header handling standard. Security practitioners should monitor the Tinyproxy repository for patches addressing versions through 1.11.3.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-19603
Vulnerability details
Tinyproxy through 1.11.3 is vulnerable to HTTP request parsing desynchronization due to a case-sensitive comparison of the Transfer-Encoding header in src/reqs.c. The is_chunked_transfer() function uses strcmp() to compare the header value against "chunked", even though RFC 7230 specifies that transfer-coding…
more
names are case-insensitive. By sending a request with Transfer-Encoding: Chunked, an unauthenticated remote attacker can cause Tinyproxy to misinterpret the request as having no body. In this state, Tinyproxy sets content_length.client to -1, skips pull_client_data_chunked(), forwards request headers upstream, and transitions into relay_connection() raw TCP forwarding while unread body data remains buffered. This leads to inconsistent request state between Tinyproxy and backend servers. RFC-compliant backends (e.g., Node.js, Nginx) will continue waiting for chunked body data, causing connections to hang indefinitely. This behavior enables application-level denial of service through backend worker exhaustion. Additionally, in deployments where Tinyproxy is used for request-body inspection, filtering, or security enforcement, the unread body may be forwarded without proper inspection, resulting in potential security control bypass.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote exploitation of public-facing Tinyproxy (T1190) to trigger backend DoS via HTTP desync/app exploitation (T1499.004); body-inspection bypass is secondary but not mapped to a specific technique.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the vulnerability by requiring timely patching of the case-sensitive Transfer-Encoding parsing flaw in Tinyproxy to prevent request desynchronization and DoS.
Mandates validation of HTTP inputs like Transfer-Encoding headers with case-insensitive checks to avoid misparsing and body forwarding inconsistencies.
Provides protection against the application-level DoS resulting from backend worker exhaustion due to hanging connections from desynchronized requests.