"Tinyproxy through 1.11.3 is vulnerable to HTTP request parsing desynchronization due to a case-sensitive comparison of the Transfer-Encoding header. The is_chunked_transfer() function uses strcmp() to compare the header value against 'chunked', even though RFC 7230 specifies that transfer-coding names are case-insensitive."
"By sending a request with Transfer-Encoding: Chunked, an unauthenticated remote attacker can cause Tinyproxy to misinterpret the request as having no body. This leads to inconsistent request state between Tinyproxy and backend servers, causing connections to hang indefinitely."
"This behavior enables application-level denial of service through backend worker exhaustion. Additionally, in deployments where Tinyproxy is used for request-body inspection, the unread body may be forwarded without proper inspection, resulting in potential security control bypass."
Tinyproxy versions through 1.11.3 have a vulnerability related to HTTP request parsing desynchronization caused by a case-sensitive comparison of the Transfer-Encoding header. The is_chunked_transfer() function incorrectly uses strcmp() for comparison, violating RFC 7230's case-insensitivity requirement. An unauthenticated remote attacker can exploit this by sending a request with a case-altered Transfer-Encoding header, leading to misinterpretation of the request. This results in potential denial of service and security control bypass in certain deployments.
Read at Nist
Unable to calculate read time
Collection
[
|
...
]