A critical flaw has been uncovered in Tinyproxy, a lightweight HTTP/S proxy favored by individual hobbyists, small businesses, and public Wi-Fi providers for its simplicity and effectiveness.
The vulnerability tracked as CVE-2023-49606 with a CVSS score of 9.8 is a use-after-free vulnerability that exists in the way Tinyproxy versions 1.11.1 and 1.10.0 parse HTTP Connection Headers. A seemingly trivial bug in the handling of these headers can be exploited to cause a system crash or, in more severe cases, a denial of service. While remote code execution is also possible, it would require highly specific circumstances to occur, making it less likely but still a concerning possibility.
Fifty-seven percent of more than 90,000 internet-exposed hosts continue to run TinyProxy instances unpatched, which could be leveraged to facilitate remote code execution attacks via an unauthenticated HTTP request.
The U.S. accounted for the most number of vulnerable internet-exposed hosts, followed by South Korea, China, France, and Germany, according to a report from Cisco Talos, which also unveiled a proof-of-concept for the security issue that tackled the possible weaponization of HTTP Connection parsing for code execution.
Since the patch from Tinyproxy’s maintainers is not available, the immediate recommendation is to ensure that Tinyproxy services are not exposed to the public internet, especially in environments used for development or testing. Users should consider employing alternative proxy solutions that receive regular security updates and support, or at least ensure that access to Tinyproxy is limited to internal network use until a patch becomes available.