CVE-2023-49606

CVE-2023-49606 is a use-after-free in Tinyproxy’s HTTP Connection Headers parsing (affecting 1.11.1 and 1.10.0). A specially crafted, unauthenticated HTTP request can trigger reuse of freed memory, causing memory corruption and potentially remote code execution. Public advisories confirm fixes in...

CVE-2017-11747

CVE-2017-11747 affects Tinyproxy (1.8.4 and older): main.c creates /run/tinyproxy/tinyproxy.pid after dropping privileges to a non-root account, allowing local users to modify the PID file and potentially kill the process via a root script that executes kill cat /run/tinyproxy/tinyproxy.pid. Seve...

CVE-2022-40468

CVE-2022-40468 affects tinyproxy. The issue is a potential leak of left-over heap data when using custom error page templates with non-standard variables, caused by uninitialized buffers in process_request() and related header handling. Multiple advisories confirm risk across distros, including D...

CVE-2026-31842

Tinyproxy 1.11.3 is vulnerable to HTTP request parsing desynchronization due to a case-sensitive Transfer-Encoding check in is_chunked_transfer() (strcmp against "chunked"). RFC 7230 requires case-insensitive transfer-coding names. An unauthenticated attacker sending Transfer-Encoding: Chunked ca...

CVE-2025-63938

Tinyproxy