TinyWeb Unbounded Content-Length Memory Exhaustion
Security Advisory. Published: February 25, 2026. Fixed in TinyWeb v2.02 (February 22, 2026).
Summary
TinyWeb HTTP Server version 2.01 and earlier are vulnerable to a Denial of Service (DoS) attack due
to improper handling of the Content-Length HTTP header. The server fails to enforce a
maximum limit on the HTTP request body size before allocating memory. An unauthenticated remote
attacker can send a request with a large Content-Length value, causing the server to
continuously reallocate memory until it exhausts all available resources and crashes.
Severity: High (CVSS 4.0 Base Score: 8.7)
Vulnerability Details
| CVE ID | CVE-2026-27633 |
|---|---|
| Vulnerability Type | Uncontrolled Resource Consumption (CWE-400), Memory Exhaustion |
| Attack Type | Remote |
| Attack Vector | Network (unauthenticated HTTP request) |
| Vendor/Maintainer | Maxim Masiutin |
| Product | TinyWeb HTTP Server |
| Affected Versions | Version 2.01 and below |
| Fixed Version | 2.02 (February 22, 2026) |
| Impact | Denial of Service (Memory Exhaustion) |
CVSS Score
| CVSS Version | Score | Severity | Vector String |
|---|---|---|---|
| CVSS 4.0 | 8.7 | High | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
Technical Details
Mechanism
When an HTTP request includes a Content-Length header, the server configures its
collector to read the entity body. Chunks of data are read from the socket and appended to an
internal buffer (EntityBody). Because there is no check on the absolute value of
Content-Length, the server will continue to call SetLength() as data
arrives, leading to memory exhaustion if a very large value (e.g., 2,147,483,647) is provided.
Affected Code (SrvMain.pas)
if CollectEntityBody then
begin
if j > 0 then
begin
i := Length(EntityBody);
SetLength(EntityBody, i + j); // Unbounded reallocation
Move(Buf, EntityBody[i + 1], j);
end;
GotEntityBody := ContentLength <= Length(EntityBody);
end;
Fix Applied in Version 2.02
The problem has been patched in version 2.02 by introducing a maximum payload size limit:
CMaxEntityBodySize: Defines the maximum size of accepted HTTP request bodies (default set to 10MB). Requests exceeding this limit are rejected immediately with an HTTP 413 Payload Too Large response before memory allocation begins. (Commit 1cb5a1d)
Workarounds
If upgrading to v2.02 is not immediately possible, consider the following mitigations:
- Place the server behind a Web Application Firewall (WAF) or reverse proxy (like nginx or
Cloudflare) configured to explicitly limit the maximum allowed HTTP request body size (e.g.,
client_max_body_sizein nginx).