CVE-2025-4366: Request Smuggling Vulnerability in Pingora

7.4 CVSS

Description

A request smuggling vulnerability identified within Pingora’s proxying framework, pingora-proxy, allows malicious HTTP requests to be injected via manipulated request bodies on cache HITs, leading to unauthorized request execution and potential cache poisoning.

Fixed in: https://github.com/cloudflare/pingora/commit/fda3317ec822678564d641e7cf1c9b77ee3759ff https://github.com/cloudflare/pingora/commit/fda3317ec822678564d641e7cf1c9b77ee3759ff

Impact: The issue could lead to request smuggling in cases where Pingora’s proxying framework, pingora-proxy, is used for caching allowing an attacker to manipulate headers and URLs in subsequent requests made on the same HTTP/1.1 connection.

Classification

CVE ID: CVE-2025-4366

CVSS Base Severity: HIGH

CVSS Base Score: 7.4

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N

Problem Types

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Affected Products

Vendor:

Product:

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 12.19% (scored less or equal to compared to others)

EPSS Date: 2025-06-09 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-4366
https://github.com/cloudflare/pingora

Timeline

2025-05-22 16:40:11 UTC
CVE

Request Smuggling Vulnerability in Pingora
2025-05-22 21:15:13 UTC
Github Advisory Database (Rust)

[pingora-core] Pingora Request Smuggling and Cache Poisoning