HTTP Request Smuggling Affecting pingora-core package, versions <0.8.0
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-RUST-PINGORACORE-15426546
- published5 Mar 2026
- disclosed4 Mar 2026
- creditUnknown
Introduced: 4 Mar 2026
NewCVE-2026-2833 (opens in a new tab)How to fix?
Upgrade pingora-core to version 0.8.0 or higher.
Overview
pingora-core is a package containing Pingora's APIs and traits for the core network protocols.
Affected versions of this package are vulnerable to HTTP Request Smuggling in the handling of HTTP/1.1 requests containing an Upgrade header. An attacker can bypass proxy-level access controls and web application firewall logic, poison caches and upstream connections, or hijack user sessions by sending specially crafted HTTP requests that are forwarded to the backend before a proper protocol switch is confirmed. This is only exploitable if the deployment is a standalone proxy exposed directly to external traffic.