Rajat Raghav

**Name of the Vulnerable Software and Affected Versions** Pingora versions prior to 0.8.0 **Description** An HTTP request smuggling issue (CWE-444) exists in Pingora's handling of HTTP/1.1 connection upgrades. The issue arises when the proxy reads a request with an Upgrade header and forwards the remaining bytes on the connection to a backend before the backend accepts the upgrade. This allows an attacker to send a malicious payload after a request containing an Upgrade header, which the backend may interpret as a subsequent request header, bypassing security controls. This can lead to bypassing proxy-level ACL controls and WAF logic, poisoning caches and upstream connections, and performing cross-user attacks by hijacking sessions or smuggling requests. Cloudflare's CDN infrastructure was not affected. The vulnerable component is the handling of the `Upgrade` header in HTTP requests. **Recommendations** Upgrade to Pingora version 0.8.0 or higher. As a workaround, return an error on requests with the `Upgrade` header present in request filter logic to stop processing bytes beyond the request header and disable downstream connection reuse.

**Name of the Vulnerable Software and Affected Versions** Pingora versions prior to 0.8.0 **Description** An HTTP Request Smuggling issue exists due to improper parsing of HTTP/1.0 and Transfer-Encoding requests. The issue arises from allowing HTTP/1.0 request bodies to be close-delimited and incorrect handling of multiple Transfer-Encoding values, potentially desynchronizing request framing between Pingora and backend servers. This could allow attackers to bypass proxy-level access control lists and web application firewall logic, poison caches and upstream connections, and perform cross-user attacks by hijacking sessions or smuggling requests. Cloudflare's CDN infrastructure was not affected. The API endpoints are not explicitly mentioned. The vulnerable parameters or variables are not explicitly mentioned. The vulnerable functions are not explicitly mentioned. **Recommendations** Upgrade to Pingora version 0.8.0 or higher. As a workaround, reject non-HTTP/1.1 requests, requests with invalid Content-Length, requests with multiple Transfer-Encoding headers, or requests with a Transfer-Encoding header that is not exactly “chunked”.

**Name of the Vulnerable Software and Affected Versions** Pingora versions prior to 0.8.0 **Description** A cache poisoning issue exists in the Pingora HTTP proxy framework’s default cache key construction. The default HTTP cache key implementation generates cache keys using only the URI path, excluding the host header, potentially leading to cache poisoning and cross-origin responses being served to users. This could allow an attacker to perform cross-tenant data leakage in multi-tenant deployments or serve malicious content to legitimate users by poisoning shared cache entries. **Recommendations** Upgrade to Pingora version 0.8.0 or higher, which removes the insecure default cache key implementation. Users must implement their own callback that includes appropriate factors such as the Host header and upstream peer’s HTTP scheme. If unable to upgrade, remove any default CacheKey usage and implement a custom implementation that includes the host header and upstream peer’s HTTP scheme.