CVE-2025-4366: Pingora has a Request Smuggling Vulnerability
(updated )
A request smuggling vulnerability identified within Pingora’s proxying framework, pingora-proxy, allows malicious HTTP requests to be injected via manipulated request bodies on cache HITs, leading to unauthorized request execution and potential cache poisoning.
References
- blog.cloudflare.com/resolving-a-request-smuggling-vulnerability-in-pingora
- github.com/advisories/GHSA-93c7-7xqw-w357
- github.com/cloudflare/pingora
- github.com/cloudflare/pingora/commit/fda3317ec822678564d641e7cf1c9b77ee3759ff
- github.com/cloudflare/pingora/security/advisories/GHSA-93c7-7xqw-w357
- nvd.nist.gov/vuln/detail/CVE-2025-4366
- rustsec.org/advisories/RUSTSEC-2025-0037.html
Code Behaviors & Features
Detect and mitigate CVE-2025-4366 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →