Tinyproxy - Stathost Detection Bypass via Host Header Manipulation
Description
Tinyproxy through 1.11.3, fixed in commit 09312a1, fails to properly validate the Host header during stathost detection, allowing unauthenticated attackers to access the stats page by injecting a matching Host header or bypass detection via port manipulation. Remote attackers can trigger unauthorized access to internal proxy statistics or misroute requests as transparent proxy connections to circumvent access controls.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"Missing validation of the Host header in stathost detection allows an attacker to impersonate the stathost via a crafted Host header."
Attack vector
An unauthenticated remote attacker can send an HTTP request to Tinyproxy with a `Host` header that matches the configured `stathost` (e.g., `Host: tinyproxy.stats`). Because the old code only checked the request URL's host field and used a flawed `strncmp` in the auth path, the attacker can trigger the stats page or have the request misclassified as a transparent proxy connection, bypassing access controls [ref_id=1]. The attacker needs only network access to the Tinyproxy listener; no authentication is required.
Affected code
The vulnerability resides in `src/reqs.c` within the `process_request` and `handle_connection` functions. Prior to the patch, stathost detection only compared the request URL's host field using `strcmp`, ignoring the `Host` header entirely, and the `handle_connection` function used a prefix-based `strncmp` check that could be bypassed with a crafted Host header or port suffix.
What the fix does
The patch introduces a new `is_stathost` helper function that correctly compares a hostname (with optional trailing colon/port) against the configured stathost [patch_id=6466824]. It moves the stathost check to occur before the transparent proxy detection logic, so a request with a matching `Host` header is recognized as a stats request rather than being misrouted. The old `strncmp`-based check in `handle_connection` is replaced with the same robust helper, closing the prefix-match bypass.
Preconditions
- networkAttacker must have network access to the Tinyproxy listener (default port 8080)
- authNo authentication required; the vulnerability is exploitable pre-auth
- configTinyproxy must have a stathost configured (default is often 'tinyproxy.stats')
Generated on Jun 18, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/tinyproxy/tinyproxy/commit/09312a185ae25cc486b4ff5987638a7917a48bcemitrepatch
- www.vulncheck.com/advisories/evil-winrm-path-traversal-in-download-dir-functionmitrethird-party-advisory
- github.com/tinyproxy/tinyproxy/pull/606mitreissue-tracking
News mentions
0No linked articles in our index yet.