HTTP Request Smuggling Affecting pingora-core package, versions <0.5.0


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.1% (29th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RUST-PINGORACORE-10442131
  • published20 Jun 2025
  • disclosed22 May 2025
  • creditJames Kettle, Wannes Verwimp

Introduced: 22 May 2025

CVE-2025-4366  (opens in a new tab)
CWE-444  (opens in a new tab)

How to fix?

Upgrade pingora-core to version 0.5.0 or higher.

Overview

pingora-core is a package containing Pingora's APIs and traits for the core network protocols.

Affected versions of this package are vulnerable to HTTP Request Smuggling due to improper handling of the downstream request body on cache hits. An attacker can craft malicious HTTP/1.1 requests leading to unexpected request processing or cache content poisoning by sending specially crafted requests.

CVSS Base Scores

version 4.0
version 3.1