Vulnerability Details CVE-2025-4366
A request smuggling vulnerability identified within Pingora’s proxying framework, pingora-proxy, allows malicious HTTP requests to be injected via manipulated request bodies on cache HITs, leading to unauthorized request execution and potential cache poisoning.
Fixed in: https://github.com/cloudflare/pingora/commit/fda3317ec822678564d641e7cf1c9b77ee3759ff https://github.com/cloudflare/pingora/commit/fda3317ec822678564d641e7cf1c9b77ee3759ff
Impact: The issue could lead to request smuggling in cases where Pingora’s proxying framework, pingora-proxy, is used for caching allowing an attacker to manipulate headers and URLs in subsequent requests made on the same HTTP/1.1 connection.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 8.6%
CVSS Severity
CVSS v3 Score 6.1
References
Products affected by CVE-2025-4366
-
cpe:2.3:a:cloudflare:pingora:0.1.0
-
cpe:2.3:a:cloudflare:pingora:0.1.1
-
cpe:2.3:a:cloudflare:pingora:0.2.0
-
cpe:2.3:a:cloudflare:pingora:0.3.0
-
cpe:2.3:a:cloudflare:pingora:0.4.0