Cloudflare has alerted users to a security vulnerability, tracked as CVE-2025-4366, in the widely used Pingora OSS framework. This flaw, a request smuggling issue, was discovered by
a security researcher while testing exploits against Cloudflare’s free tier Content Delivery Network (CDN), which uses Pingora to serve cached assets.
The vulnerability exists in the Pingora caching components, specifically in the pingora-proxy and pingora-cache crates that provide HTTP caching to improve performance on Cloudflare’s CDN. Caching allows content to be served from a storage backend, reducing bandwidth use and load on origin servers. However, an HTTP/1.1 request parsing bug in Pingora’s caching logic opened the door for potential request smuggling attacks.
Request smuggling exploits inconsistencies in how HTTP requests are parsed across different network layers such as load balancers, proxies, and servers. Each layer parses the request independently, and if they interpret request boundaries differently, a malicious actor can craft a request that is treated as two separate requests by different components. This enables the attacker to “smuggle” a malicious request inside a legitimate one over the same connection.
In Pingora’s case, the vulnerability occurred because it skipped consuming the request body on cache hits. Normally, Pingora fully consumes request bodies or refuses to reuse connections when errors occur to comply with HTTP/1.1 standards. When a cached response was served, Pingora bypassed this step, leaving unread data on the connection. Attackers could manipulate this leftover data to inject a “smuggled” HTTP request, causing Pingora to misinterpret subsequent requests.
As a result, Pingora might treat the injected request as part of the next request sequence, allowing attackers to alter headers or URLs sent to the origin server.
At the time the vulnerability was discovered, Cloudflare was rolling out a new Pingora proxy with caching enabled to some of its free CDN plan traffic. This meant that users on the free tier or those using Pingora OSS caching features could have been exposed to this flaw.
The most serious impact was that attackers could cause visitors to Cloudflare-hosted sites to make additional requests to attacker-controlled servers, leaking the URLs the visitor had originally accessed.
This was possible because some vulnerable origin servers responded to the smuggled Host header with HTTP 301 redirects to the attacker’s domain. Browsers would follow the redirect and send the original URL in the Referer header, exposing sensitive browsing patterns and allowing injection of malicious content.
Cloudflare was notified of the vulnerability on April 11, 2025. They confirmed the flaw and identified the vulnerable Pingora component by April 12. Preparations were made to disable traffic to the affected proxy with caching enabled, and by 06:44 UTC on the same day, traffic to the vulnerable component was fully blocked.
Cloudflare advises all users of the Pingora OSS framework, especially those using the caching crates, to upgrade to version 0.5.0 or later, which contains the fix for this request smuggling vulnerability.
Customers using the Cloudflare CDN free tier do not need to take any action, as the patch has already been deployed for them.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
