Understanding the CVE-2025-4366 Vulnerability in Cloudflare’s Pingora OSS Framework

Cloudflare has recently alerted its users to a significant security vulnerability, identified as CVE-2025-4366, within the widely utilized Pingora OSS framework. This vulnerability, categorized as a request smuggling flaw, was discovered by a security researcher during testing against Cloudflare’s Content Delivery Network (CDN) free tier, which employs Pingora to serve cached assets.

Overview of the CVE-2025-4366 Vulnerability

The vulnerability lies within the caching components of Pingora, specifically in the pingora-proxy and pingora-cache crates. These components are designed to enhance performance by providing HTTP caching functionality, allowing content to be served from a storage backend. This reduces bandwidth usage and alleviates load on origin servers. However, an HTTP/1.1 request parsing bug in Pingora’s caching logic has opened the door to potential request smuggling attacks.

What is Request Smuggling?

Request smuggling exploits inconsistencies in how HTTP requests are parsed across various network components. Typically, a client’s HTTP request traverses multiple layers, including load balancers, proxies, and servers, each parsing the request independently. If these layers interpret the request boundaries differently—such as the length of the request body—a malicious actor can craft a request that is perceived as two distinct requests by different components. This discrepancy allows the attacker to “smuggle” a malicious request inside a legitimate one on the same connection.

In the case of Pingora, the vulnerability arose from skipped request body consumption during cache hits. Normally, Pingora processes requests in compliance with HTTP/1.1 standards, fully consuming request bodies or refusing to reuse connections when errors occur. However, when a cached response was served, Pingora bypassed this step, leaving unread data in the connection. This leftover data could be manipulated to inject a “smuggled” HTTP request, leading to misinterpretation of subsequent requests.

Potential Impact on Users

At the time the vulnerability was identified, Cloudflare was in the process of rolling out a new Pingora proxy with caching enabled for a portion of its free CDN plan traffic. This meant that customers using the free tier or those directly utilizing the caching features of Pingora OSS were potentially exposed to this flaw.

The most alarming consequence was the ability for attackers to cause visitors to Cloudflare-hosted sites to make additional requests to attacker-controlled servers. This effectively leaked which URLs the visitor had originally accessed. Some vulnerable origin servers responded to the smuggled Host header with HTTP 301 redirects to the attacker’s domain, prompting browsers to follow the redirect and send the original URL in the Referer header. Such behavior could expose sensitive browsing patterns and facilitate the injection of malicious content.

Cloudflare’s Response

Upon receiving notification of the vulnerability on April 11, 2025, Cloudflare’s security team acted swiftly to address the issue. Between April 11 and April 12, they confirmed the flaw and identified the vulnerable Pingora component responsible. By April 12, preparations were underway to disable traffic to the affected proxy with caching enabled. By 06:44 UTC that same day, traffic to the vulnerable component was fully blocked, mitigating the risk to users.

Recommendations for Users

Cloudflare has advised all users of the Pingora OSS framework—especially those leveraging the caching crates—to upgrade to version 0.5.0 or later, which includes the fix for this request smuggling vulnerability. Importantly, customers using the Cloudflare CDN free tier do not need to take any action, as the patch has already been deployed on their behalf.

In a statement, Cloudflare expressed gratitude to security researchers James Kettle and Wannes Verwimp for responsibly disclosing the flaw through their Bug Bounty Program. Their efforts have played a crucial role in enhancing the security of the Pingora framework and, by extension, the broader Cloudflare ecosystem.