CVE-2025-4366

Name of the Vulnerable Software and Affected Versions Pingora versions prior to the fixed version

Description A request smuggling issue was identified in Pingora's proxying framework, pingora-proxy, allowing malicious HTTP requests to be injected via manipulated request bodies on cache HITs. This leads to unauthorized request execution and potential cache poisoning. The issue could lead to request smuggling in cases where Pingora's proxying framework is used for caching, allowing an attacker to manipulate headers and URLs in subsequent requests made on the same HTTP/1.1 connection.

Recommendations For versions prior to the fixed version, update to the latest version that includes the fix for this issue, as referenced in the commit https://github.com/cloudflare/pingora/commit/fda3317ec822678564d641e7cf1c9b77ee3759ff. As a temporary workaround, consider restricting access to the pingora-proxy framework to minimize the risk of exploitation.