VYPR
Vendor

Tinyproxy

Products
1
CVEs
14
Across products
14
Status
Private

Products

1

Recent CVEs

14
  • CVE-2026-31842HigApr 7, 2026
    risk 0.49cvss 7.5epss 0.01

    Tinyproxy through 1.11.3 is vulnerable to HTTP request parsing desynchronization due to a case-sensitive comparison of the Transfer-Encoding header in src/reqs.c. The is_chunked_transfer() function uses strcmp() to compare the header value against "chunked", even though RFC 7230…

  • CVE-2017-11747MedJul 30, 2017
    risk 0.36cvss 5.5epss 0.00

    main.c in Tinyproxy 1.8.4 and earlier creates a /run/tinyproxy/tinyproxy.pid file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for tinyproxy.pid modification before a root…

  • CVE-2023-49606May 1, 2024
    risk 0.06cvss epss 0.63

    A use-after-free vulnerability exists in the HTTP Connection Headers parsing in Tinyproxy 1.11.1 and Tinyproxy 1.10.0. A specially crafted HTTP header can trigger reuse of previously freed memory, which leads to memory corruption and could lead to remote code execution. An…

  • CVE-2001-0129Mar 12, 2001
    risk 0.04cvss epss 0.14

    Buffer overflow in Tinyproxy HTTP proxy 1.3.3 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long connect request.

  • CVE-2012-3505Oct 9, 2012
    risk 0.01cvss epss 0.07

    Tinyproxy 1.8.3 and earlier allows remote attackers to cause a denial of service (CPU and memory consumption) via (1) a large number of headers or (2) a large number of forged headers that trigger hash collisions predictably. bucket.

  • CVE-2026-54388Jun 17, 2026
    risk 0.00cvss epss 0.00

    Tinyproxy through 1.11.3, fixed in commit 364cdb6, fails to reject requests containing multiple Content-Length headers with differing values, forwarding all duplicate headers to the backend while using the first value to determine how many request body bytes to consume. Remote…

  • CVE-2026-54387Jun 17, 2026
    risk 0.00cvss epss 0.00

    Tinyproxy through 1.11.3, fixed in commit ff45d3b, fails to reconcile conflicting Content-Length and Transfer-Encoding: chunked headers, forwarding both verbatim to the backend while using Content-Length to determine how many request body bytes to consume. Remote attackers can…

  • CVE-2026-55202Jun 17, 2026
    risk 0.00cvss epss 0.00

    Tinyproxy through 1.11.3, fixed in commit 09312a1, fails to properly validate the Host header during stathost detection, allowing unauthenticated attackers to access the stats page by injecting a matching Host header or bypass detection via port manipulation. Remote attackers…

  • CVE-2026-3945Mar 30, 2026
    risk 0.00cvss epss 0.01

    An integer overflow vulnerability in the HTTP chunked transfer encoding parser in tinyproxy up to and including version 1.11.3 allows an unauthenticated remote attacker to cause a denial of service (DoS). The issue occurs because chunk size values are parsed using strtol()…

  • CVE-2025-63938Nov 26, 2025
    risk 0.00cvss epss 0.00

    Tinyproxy through 1.11.2 contains an integer overflow vulnerability in the strip_return_port() function within src/reqs.c.

  • CVE-2022-40468Sep 19, 2022
    risk 0.00cvss epss 0.01

    Potential leak of left-over heap data if custom error page templates containing special non-standard variables are used. Tinyproxy commit 84f203f and earlier use uninitialized buffers in process_request() function.

  • CVE-2011-1843May 3, 2011
    risk 0.00cvss epss 0.01

    Integer overflow in conf.c in Tinyproxy before 1.8.3 might allow remote attackers to bypass intended access restrictions in opportunistic circumstances via a TCP connection, related to improper handling of invalid port numbers.

  • CVE-2011-1499Apr 29, 2011
    risk 0.00cvss epss 0.02

    acl.c in Tinyproxy before 1.8.3, when an Allow configuration setting specifies a CIDR block, permits TCP connections from all IP addresses, which makes it easier for remote attackers to hide the origin of web traffic by leveraging the open HTTP proxy server.

  • CVE-2002-0847Aug 12, 2002
    risk 0.00cvss epss 0.03

    tinyproxy HTTP proxy 1.5.0, 1.4.3, and earlier allows remote attackers to execute arbitrary code via memory that is freed twice (double-free).