Critical Vulnerability in Tinyproxy Instances

Tinyproxy has released security fixes addressing a critical vulnerability (CVE-2023-49606) in their internet-exposed instances. The vulnerability has a Common Vulnerability Scoring System (CVSSv3) score of 9.8 out of 10.

Successful exploitation of the use-after-free vulnerability could allow an attacker to send a specially crafted HTTP header to cause memory corruption and potentially lead to remote code execution.

The critical vulnerability affects Tinyproxy versions 1.10.0 and 1.11.1.

Users and administrators of affected software versions are advised to pull the latest master branch from git or manually apply the security fix while waiting for the fixed software version to be released. Users and administrators are also advised to only allow access to Tinyproxy from trusted sources, such as your internal network or specific IP addresses, and not expose Tinyproxy to the public internet to help prevent unauthorised access and minimise the risk of security issues.

More information is available here:
https://github.com/tinyproxy/tinyproxy/commit/12a8484265f7b00591293da492bb3c9987001956
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1889
https://www.bleepingcomputer.com/news/security/over-50-000-tinyproxy-servers-vulnerable-to-critical-rce-flaw/
https://thehackernews.com/2024/05/critical-tinyproxy-flaw-opens-over.html