## Tinyproxy 1.11.3 HTTP Request Parsing Desynchronization Vulnerability (CVE-2026-31842)
A critical vulnerability in Tinyproxy, tracked as CVE-2026-31842, exposes the proxy server to HTTP request parsing desynchronization attacks. The flaw stems from a case-sensitive comparison of the Transfer-Encoding header, allowing a remote, unauthenticated attacker to manipulate how the server interprets and forwards client requests, leading to inconsistent internal state and potential security bypasses.

The vulnerability resides in the `is_chunked_transfer()` function within `src/reqs.c`. This function uses `strcmp()` to check if the header value equals "chunked", a direct violation of RFC 7230, which mandates that transfer-coding names are case-insensitive. By sending a request with a header like `Transfer-Encoding: Chunked`, an attacker can trick Tinyproxy (through version 1.11.3) into misclassifying the request as having no body. This causes the server to set `content_length.client` to -1, skip the `pull_client_data_chunked()` function, and forward the request headers upstream while unread body data remains buffered on the client side.

This desynchronization forces Tinyproxy into a `relay_connection()` state for raw TCP forwarding, creating a mismatch between the proxy's understanding of the request and the actual data stream. The inconsistent state between the client connection and the upstream server connection can be exploited to potentially bypass security controls, poison caches, or conduct request smuggling attacks, depending on the deployment environment. Package maintainers, including those for Nixpkgs (issue NIXPKGS-2026-0995), are now under pressure to patch this protocol-level parsing error.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE-2026-31842, HTTP, Proxy, Security Vulnerability, Request Smuggling
- **Credibility**: unverified
- **Published**: 2026-04-14 15:22:53
- **ID**: 63988
- **URL**: https://whisperx.ai/en/intel/63988