Tinyproxy - HTTP Request Smuggling via Duplicate Content-Length Headers
Description
Tinyproxy through 1.11.3, fixed in commit 364cdb6, fails to reject requests containing multiple Content-Length headers with differing values, forwarding all duplicate headers to the backend while using the first value to determine how many request body bytes to consume. Remote attackers can desynchronize the proxy and backend parser state, allowing injection of arbitrary HTTP requests to the backend to enable cache poisoning, access control bypass, and request hijacking.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"Missing duplicate Content-Length header rejection allows the proxy and backend to disagree on request body boundaries."
Attack vector
A remote attacker sends an HTTP request containing multiple `Content-Length` headers with different values (e.g., `Content-Length: 5` and `Content-Length: 100`). Tinyproxy uses the first value to read the request body but forwards all duplicate headers to the backend. The backend interprets the last `Content-Length` value, causing a mismatch in body size. The extra bytes beyond the first value are treated by the backend as the start of a new HTTP request, enabling request smuggling. [CWE-444] [ref_id=1]
Affected code
The vulnerability is in `src/reqs.c` in the `add_header_to_connection` function and the `pseudomap_append` / `pseudomap_find_index` functions in `src/pseudomap.c`. The proxy forwards all duplicate Content-Length headers to the backend without rejecting requests that contain multiple differing values, and uses only the first value to determine how many body bytes to consume. [ref_id=1]
What the fix does
The patch in commit 364cdb6 adds a check in `add_header_to_connection` (in `src/reqs.c`) that detects when a `Content-Length` header is about to be inserted and the `content-length` key already exists in the header hash map. If a duplicate is found, the function returns 0 without appending the duplicate header, preventing multiple Content-Length headers from being forwarded to the backend. This closes the desync vector described in Finding 2 of the advisory. [patch_id=6466820] [ref_id=1]
Preconditions
- networkThe attacker must be able to send HTTP requests to the Tinyproxy instance (network reachable).
- inputThe attacker must craft a request with at least two Content-Length headers having different numeric values.
Generated on Jun 18, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/tinyproxy/tinyproxy/commit/364cdb67e0ea00a8e4a7037e2693e0711e816adbmitrepatch
- www.vulncheck.com/advisories/tinyproxy-http-request-smuggling-via-duplicate-content-length-headersmitrethird-party-advisory
- github.com/tinyproxy/tinyproxy/issues/609mitretechnical-description
- github.com/tinyproxy/tinyproxy/pull/610mitreissue-tracking
News mentions
0No linked articles in our index yet.