CVE-2025-4366

Description

Pingora versions prior to 0.5.0 which used the caching functionality in pingora-proxy did not properly drain the downstream request body on cache hits. This allows an attacker to craft malicious HTTP/1.1 requests which could lead to request smuggling or cache poisoning. This flaw was corrected in commit fda3317ec822678564d641e7cf1c9b77ee3759ff by ensuring that the downstream request body is always drained before a connection can be reused. See [the blog post](https://blog.cloudflare.com/resolving-a-request-smuggling-vulnerability-in-pingora/) for more information.

How to fix CVE-2025-4366

To remediate CVE-2025-4366, upgrade the affected package to a fixed version below.

• —upgrade to 0.5.0 or later
• —upgrade to 0.5.0 or later

Is CVE-2025-4366 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• from 0, < 0.5.0
• >= 0.0.0-0, < 0.5.0

CVSS scores

References (8)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-4366
• PATCHcrates.io/crates/pingora-core
• PATCHgithub.com/cloudflare/pingora
• WEBblog.cloudflare.com/resolving-a-request-smuggling-vulnerability-in-pingora
• WEB