2490160 – (CVE-2026-54387) CVE-2026-54387 tinyproxy: HTTP Request Smuggling via CL/TE desynchronization

Bug 2490160 (CVE-2026-54387) - CVE-2026-54387 tinyproxy: HTTP Request Smuggling via CL/TE desynchronization

Summary: CVE-2026-54387 tinyproxy: HTTP Request Smuggling via CL/TE desynchronization

Keywords:
Status:	NEW
Alias:	CVE-2026-54387
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2490299 2490300
Blocks:
TreeView+	depends on / blocked

Reported:	2026-06-17 21:01 UTC by OSIDB Bzimport
Modified:	2026-06-18 12:49 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-06-17 21:01:51 UTC

Tinyproxy through 1.11.3, fixed in commit ff45d3b, fails to reconcile conflicting Content-Length and Transfer-Encoding: chunked headers, forwarding both verbatim to the backend while using Content-Length to determine how many request body bytes to consume. Remote attackers can desynchronize the proxy and backend parser state, allowing injection of arbitrary HTTP requests to the backend to enable cache poisoning, access control bypass, and request hijacking.

Note You need to log in before you can comment on or make changes to this bug.