CVE-2025-4366 Information

Description

A request smuggling vulnerability identified within Pingora’s proxying framework pingora-proxy allows malicious HTTP requests to be injected via manipulated request bodies on cache HITs leading to unauthorized request execution and potential cache poisoning.

Fixed in:  https://github.com/cloudflare/pingora/commit/fda3317ec822678564d641e7cf1c9b77ee3759ff https://github.com/cloudflare/pingora/commit/fda3317ec822678564d641e7cf1c9b77ee3759ff

Impact: The issue could lead to request smuggling in cases where Pingora’s proxying framework pingora-proxy is used for caching allowing an attacker to manipulate headers and URLs in subsequent requests made on the same HTTP/1.1 connection.

Reference

https://github.com/cloudflare/pingora