Request Smuggling Vulnerability in Pingora Proxy Framework
CVE-2025-4366

7.4HIGH

Key Information:

Vendor

Cloudflare

Status
Vendor
CVE Published:
22 May 2025

Badges

đź“° News Worthy

What is CVE-2025-4366?

A vulnerability exists in Pingora’s proxying framework, which enables attackers to conduct request smuggling by injecting malicious HTTP requests through crafted request bodies in cache HITs. This exploitation can lead to unauthorized request execution, potentially allowing attackers to manipulate headers and URLs on subsequent requests. Such actions can compromise the integrity of cached data and may facilitate cache poisoning attacks.

News Articles

favicon imageThe Cyber Express

Cloudflare Fixes CVE-2025-4366 In Pingora OSS Framework

Cloudflare patches request smuggling flaw CVE-2025-4366 in Pingora OSS framework impacting CDN free tier users.

References

https://github.com/cloudflare/pingora

CVSS V4

Score:
7.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • đź“°

    First article discovered by The Cyber Express

  • Vulnerability published

  • Vulnerability Reserved

JSON
.