May 9th, 2024 | Updated on November 4th, 2025
More than half of the 90,310 hosts have been discovered exposing a Tinyproxy service online, vulnerable to a critical unpatched security flaw in the HTTP/HTTPS proxy tool.
The vulnerability, identified as CVE-2023-49606, holds a significant CVSS score of 9.8 out of 10, as noted by Cisco Talos. It’s categorized as a use-after-free bug affecting versions 1.10.0 and 1.11.1, with the latter being the most recent release.
Cisco Talos stated in an advisory last week that “a specially crafted HTTP header can trigger reuse of previously freed memory, which leads to memory corruption and could lead to remote code execution.”
Essentially, this means an attacker could exploit this flaw by sending a specifically crafted HTTP Connection header, causing memory corruption that may result in remote code execution.
Censys, a company specializing in attack surface management, provided data indicating that out of the 90,310 hosts exposing Tinyproxy to the public internet as of May 3, 2024, approximately 52,000 (~57%) are running a vulnerable version.
You May Also Like: WordPress Sites Vulnerable
The majority of these publicly accessible hosts are situated in the United States (32,846), South Korea (18,358), China (7,808), France (5,208), and Germany (3,680).
Talos, which first reported the issue on December 22, 2023, has also released a proof-of-concept (PoC) for the vulnerability.
This PoC demonstrates how the flaw in parsing HTTP Connection connections could be exploited to cause a crash and, potentially, execute arbitrary code.
Following the disclosure, the maintainers of Tinyproxy addressed the matter in a series of commits made over the weekend.
They pointed out that Talos had sent the report to a likely outdated email address. Additionally, they stated that they were only made aware of the issue by a Debian Tinyproxy package maintainer on May 5, 2024.
Rofl0r, one of the maintainers, remarked in a commit that “no GitHub issue was filed, and nobody mentioned a vulnerability on the mentioned IRC chat.” He further added, “If the issue had been reported on Github or IRC, the bug would have been fixed within a day.”
