Cyber Resilience

CVE-2026-31842

High

Published: 07 April 2026

Published
07 April 2026
Modified
07 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0090 55.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-31842 is a high-severity HTTP Request/Response Smuggling (CWE-444) vulnerability. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 45.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-31842 is a vulnerability in Tinyproxy through version 1.11.3 that enables HTTP request parsing desynchronization due to a case-sensitive comparison of the Transfer-Encoding header in src/reqs.c. The is_chunked_transfer() function employs strcmp() to match the header value against "chunked", disregarding RFC 7230's requirement for case-insensitive transfer-coding names. This flaw carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-444 (Inconsistent Interpretation of HTTP Requests).

An unauthenticated remote attacker can exploit this by crafting a request with "Transfer-Encoding: Chunked", prompting Tinyproxy to treat it as having no body. It then sets content_length.client to -1, bypasses pull_client_data_chunked(), forwards only the request headers upstream, and shifts to relay_connection() for raw TCP forwarding, leaving unread body data buffered. This desynchronizes Tinyproxy from RFC-compliant backends like Node.js or Nginx, which await the chunked body and hang indefinitely, enabling application-level denial-of-service through backend worker exhaustion. In configurations relying on Tinyproxy for request-body inspection, filtering, or security enforcement, the unprocessed body may bypass these controls.

The vulnerability is documented in the Tinyproxy GitHub repository at https://github.com/tinyproxy/tinyproxy and specifically tracked in issue #604 at https://github.com/tinyproxy/tinyproxy/issues/604. RFC 7230, available at https://datatracker.ietf.org/doc/html/rfc7230, outlines the case-insensitive header handling standard. Security practitioners should monitor the Tinyproxy repository for patches addressing versions through 1.11.3.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Tinyproxy through 1.11.3 is vulnerable to HTTP request parsing desynchronization due to a case-sensitive comparison of the Transfer-Encoding header in src/reqs.c. The is_chunked_transfer() function uses strcmp() to compare the header value against "chunked", even though RFC 7230 specifies that transfer-coding…

more

names are case-insensitive. By sending a request with Transfer-Encoding: Chunked, an unauthenticated remote attacker can cause Tinyproxy to misinterpret the request as having no body. In this state, Tinyproxy sets content_length.client to -1, skips pull_client_data_chunked(), forwards request headers upstream, and transitions into relay_connection() raw TCP forwarding while unread body data remains buffered. This leads to inconsistent request state between Tinyproxy and backend servers. RFC-compliant backends (e.g., Node.js, Nginx) will continue waiting for chunked body data, causing connections to hang indefinitely. This behavior enables application-level denial of service through backend worker exhaustion. Additionally, in deployments where Tinyproxy is used for request-body inspection, filtering, or security enforcement, the unread body may be forwarded without proper inspection, resulting in potential security control bypass.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

CVE enables remote exploitation of public-facing Tinyproxy (T1190) to trigger backend DoS via HTTP desync/app exploitation (T1499.004); body-inspection bypass is secondary but not mapped to a specific technique.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-40562Shared CWE-444
CVE-2026-41873Shared CWE-444
CVE-2026-23527Shared CWE-444
CVE-2026-2833Shared CWE-444
CVE-2026-28368Shared CWE-444
CVE-2025-31958Shared CWE-444
CVE-2026-24880Shared CWE-444
CVE-2026-33870Shared CWE-444
CVE-2026-2332Shared CWE-444
CVE-2026-40560Shared CWE-444

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the vulnerability by requiring timely patching of the case-sensitive Transfer-Encoding parsing flaw in Tinyproxy to prevent request desynchronization and DoS.

prevent

Mandates validation of HTTP inputs like Transfer-Encoding headers with case-insensitive checks to avoid misparsing and body forwarding inconsistencies.

prevent

Provides protection against the application-level DoS resulting from backend worker exhaustion due to hanging connections from desynchronized requests.

References