Сybersecurity experts have sounded the alarm over a recently disclosed high-severity security flaw affecting Tinyproxy, a popular HTTP/HTTPS proxy tool. More than 50% of Tinyproxy servers have been found to be exposed to attacks exploiting this vulnerability, data from attack surface management company Censys shows.

Tracked as CVE-2023-49606, the flaw is described as a use-after-free bug impacting versions 1.10.0 and 1.11.1. The vulnerability exists due to a use-after-free error in the HTTP Connection Headers parsing. A remote attacker can send a specially crafted HTTP header and execute arbitrary code on the target system.

As of Friday, May 3, 2024, Censys identified 90,310 hosts exposing Tinyproxy services to the public internet. A significant portion of the vulnerable servers is concentrated in countries such as the United States and South Korea. Specifically, nearly 52,000 of the exposed hosts, representing approximately 57% of the total, are running versions 1.11.1 or 1.10.0, making them susceptible to exploitation.

CVE-2023-49606 was first disclosed in December 2023 by Cisco Talos threat research team. The researchers also released a proof-of-concept (PoC) demonstrating how the vulnerability in parsing HTTP Connection connections could be exploited to trigger a crash or even execute malicious code.

While a fix is underway and included in the upcoming version 1.11.2, users are urged to take immediate action to safeguard their systems. The commit (12a8484) containing the security patch is available in the master branch for those who need it urgently, while others can await the official release.