diff --git a/meta-networking/recipes-support/tinyproxy/tinyproxy/0001-CVE-2023-49606.patch b/meta-networking/recipes-support/tinyproxy/tinyproxy/0001-CVE-2023-49606.patch
new file mode 100644
index 0000000000..dd10d2cd33
--- /dev/null
+++ b/meta-networking/recipes-support/tinyproxy/tinyproxy/0001-CVE-2023-49606.patch
@@ -0,0 +1,59 @@
+From 982a46347c5939e08ad659858b1ac32361d7ffb8 Mon Sep 17 00:00:00 2001
+From: rofl0r <rofl0r@users.noreply.github.com>
+Date: Sun, 5 May 2024 10:37:29 +0000
+Subject: [PATCH] CVE-2023-49606
+
+fix potential UAF in header handling
+
+https://talosintelligence.com/vulnerability_reports/TALOS-2023-1889
+
+this bug was brought to my attention today by the debian tinyproxy
+package maintainer. the above link states that the issue was known
+since last year and that maintainers have been contacted, but if
+that is even true then it probably was done via a private email
+to a potentially outdated email address of one of the maintainers,
+not through the channels described clearly on the tinyproxy homepage:
+
+> Feel free to report a new bug or suggest features via github issues.
+> Tinyproxy developers hang out in #tinyproxy on irc.libera.chat.
+
+no github issue was filed, and nobody mentioned a vulnerability on
+the mentioned IRC chat. if the issue had been reported on github or
+IRC, the bug would have been fixed within a day.
+
+CVE: CVE-2023-49606
+Upstream-Status: Backport [https://github.com/tinyproxy/tinyproxy/commit/12a8484265f7b00591293da492bb3c9987001956]
+
+(cherry picked from commit 12a8484265f7b00591293da492bb3c9987001956)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/reqs.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/src/reqs.c b/src/reqs.c
+index b865190..705ce11 100644
+--- a/src/reqs.c
++++ b/src/reqs.c
+@@ -779,7 +779,7 @@ static int remove_connection_headers (orderedmap hashofheaders)
+         char *data;
+         char *ptr;
+         ssize_t len;
+-        int i;
++        int i,j,df;
+ 
+         for (i = 0; i != (sizeof (headers) / sizeof (char *)); ++i) {
+                 /* Look for the connection header.  If it's not found, return. */
+@@ -804,7 +804,12 @@ static int remove_connection_headers (orderedmap hashofheaders)
+                  */
+                 ptr = data;
+                 while (ptr < data + len) {
+-                        orderedmap_remove (hashofheaders, ptr);
++                        df = 0;
++                        /* check that ptr isn't one of headers to prevent
++                           double-free (CVE-2023-49606) */
++                        for (j = 0; j != (sizeof (headers) / sizeof (char *)); ++j)
++                                if(!strcasecmp(ptr, headers[j])) df = 1;
++                        if (!df) orderedmap_remove (hashofheaders, ptr);
+ 
+                         /* Advance ptr to the next token */
+                         ptr += strlen (ptr) + 1;
diff --git a/meta-networking/recipes-support/tinyproxy/tinyproxy_1.11.1.bb b/meta-networking/recipes-support/tinyproxy/tinyproxy_1.11.1.bb
index 4f52ee2ba6..d0232dc636 100644
--- a/meta-networking/recipes-support/tinyproxy/tinyproxy_1.11.1.bb
+++ b/meta-networking/recipes-support/tinyproxy/tinyproxy_1.11.1.bb
@@ -8,6 +8,7 @@ SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BP}.tar.gz
            file://tinyproxy.service \
            file://tinyproxy.conf \
            file://CVE-2022-40468.patch \
+           file://0001-CVE-2023-49606.patch \
            "
 
 SRC_URI[sha256sum] = "1574acf7ba83c703a89e98bb2758a4ed9fda456f092624b33cfcf0ce2d3b2047"