CVE-2025-63938
CVE-2025-63938 is a medium-severity vulnerability in Tinyproxy Project Tinyproxy with a CVSS 3.x base score of 6.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-190.
Key facts
- Severity: Medium (CVSS 3.x base score 6.5)
- EPSS exploit prediction: 0% (14th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2025-199723
- Weakness: CWE-190
- Affected product: Tinyproxy Project Tinyproxy
- Published:
- Last modified:
Description
Tinyproxy through 1.11.2 contains an integer overflow vulnerability in the strip_return_port() function within src/reqs.c.
Frequently asked questions
- What is CVE-2025-63938?
- Tinyproxy through 1.11.2 contains an integer overflow vulnerability in the strip_return_port() function within src/reqs.c.
- How severe is CVE-2025-63938?
- CVE-2025-63938 has a CVSS 3.x base score of 6.5, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is low, integrity low, and availability none.
- Is CVE-2025-63938 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (14th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2025-63938?
- CVE-2025-63938 affects Tinyproxy Project Tinyproxy. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2025-63938?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2025-63938 have an EU (EUVD) identifier?
- Yes. CVE-2025-63938 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-199723.
- When was CVE-2025-63938 published?
- CVE-2025-63938 was published on 2025-11-26 and last updated on 2026-06-17.
References
- https://github.com/rayinaw/my-hub/blob/main/CVE-2025-63938/DISCLOSURE.md
- https://github.com/tinyproxy/tinyproxy/commit/3c0fde94981b025271ffa1788ae425257841bf5a
- https://github.com/tinyproxy/tinyproxy/issues/586
Affected products (1)
- cpe:2.3:a:tinyproxy_project:tinyproxy:*:*:*:*:*:*:*:*
More vulnerabilities in Tinyproxy Project Tinyproxy
- CVE-2023-49606 — Critical (CVSS 9.8): A use-after-free vulnerability exists in the HTTP Connection Headers parsing in Tinyproxy 1.11.1 and Tinyproxy 1.10.0.…
- CVE-2026-31842 — High (CVSS 7.5): Tinyproxy through 1.11.3 is vulnerable to HTTP request parsing desynchronization due to a case-sensitive comparison of…
- CVE-2022-40468 — High (CVSS 7.5): Potential leak of left-over heap data if custom error page templates containing special non-standard variables are…
- CVE-2017-11747 — Medium (CVSS 5.5): main.c in Tinyproxy 1.8.4 and earlier creates a /run/tinyproxy/tinyproxy.pid file after dropping privileges to a…
All CVEs affecting Tinyproxy Project Tinyproxy →
Other CWE-190 (Integer Overflow or Wraparound) vulnerabilities
- CVE-2026-4689 — Critical (CVSS 10.0): Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component. This vulnerability was…
- CVE-2026-24814 — Critical (CVSS 10.0): Integer Overflow or Wraparound vulnerability in swoole swoole-src (thirdparty/hiredis modules). This vulnerability is…
- CVE-2025-64721 — Critical (CVSS 10.0): Sandboxie is a sandbox-based isolation software for 32-bit and 64-bit Windows NT-based operating systems. In versions…
- CVE-2015-5108 — Critical (CVSS 10.0): Integer overflow in Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, Acrobat and Acrobat Reader DC…
- CVE-2015-5097 — Critical (CVSS 10.0): Integer overflow in Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, Acrobat and Acrobat Reader DC…
- CVE-2013-2555 — Critical (CVSS 10.0): Integer overflow in Adobe Flash Player before 10.3.183.75 and 11.x before 11.7.700.169 on Windows and Mac OS X, before…
Browse all CWE-190 (Integer Overflow or Wraparound) vulnerabilities →