GHSA-3qmp-g57h-rxf2 – pingora-core

Package

Manager: cargo
Name: pingora-core
Vulnerable Version: <0

Severity

Level: High

CVSS v3.1: N/A

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N

EPSS: N/A pctlN/A

Details

Duplicate Advisory: Pingora Request Smuggling and Cache Poisoning ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-93c7-7xqw-w357. This link is maintained to preserve external references. ### Original Description Pingora versions prior to 0.5.0 which used the caching functionality in pingora-proxy did not properly drain the downstream request body on cache hits. This allows an attacker to craft malicious HTTP/1.1 requests which could lead to request smuggling or cache poisoning. This flaw was corrected in commit fda3317ec822678564d641e7cf1c9b77ee3759ff by ensuring that the downstream request body is always drained before a connection can be reused. See [the blog post](https://blog.cloudflare.com/resolving-a-request-smuggling-vulnerability-in-pingora/) for more information.

Metadata

Created: 2025-05-22T20:25:15Z
Modified: 2025-06-20T18:07:39Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-3qmp-g57h-rxf2/GHSA-3qmp-g57h-rxf2.json
CWE IDs: ["CWE-444"]
Alternative ID: N/A
Finding: N/A
Auto approve: 0