Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseCVE-2025-4366
CVE-2025-4366:
Rust vulnerability analysis and mitigation
Overview
A request smuggling vulnerability (CVE-2025-4366) was identified within Pingora's proxying framework, pingora-proxy, discovered on April 11, 2025. The vulnerability allows malicious HTTP requests to be injected via manipulated request bodies on cache HITs, leading to unauthorized request execution and potential cache poisoning. The vulnerability affects users of the Cloudflare CDN free tier and users of the caching functionality provided in the open source pingora-proxy and pingora-cache crates (Cloudflare Blog).
Technical details
The vulnerability stems from an HTTP/1.1 parsing bug when caching is enabled in Pingora. When a cache hit occurs, the service skips the normal request body handling logic, allowing unread request bodies in HTTP/1.1 connections to become vectors for request smuggling. This could allow attackers to inject headers and URLs into subsequent requests made on the same HTTP/1.1 connection. The vulnerability has received a CVSS 4.0 Base Score of 7.4 (HIGH) with vector string CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N, and a CISA-ADP CVSS 3.1 Base Score of 8.0 (HIGH) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N (NVD).
Impact
The vulnerability could enable attackers to perform request smuggling attacks, potentially leading to unauthorized request execution and cache poisoning. In specific cases, attackers could cause visitors to Cloudflare sites to make subsequent requests to malicious servers, allowing the observation of URLs that visitors were attempting to access. This could expose sensitive information about user browsing patterns (Cloudflare Blog).
Mitigation and workarounds
Cloudflare patched the vulnerability by April 12, 2025, 06:44 UTC, within 22 hours of notification. The fix included disabling traffic to vulnerable components and deploying a patch. For users of the Pingora OSS framework, updating to version 0.5.0 or later is required to address the vulnerability. No action is needed from Cloudflare customers, as the patch has already been applied to their services (Cloudflare Blog).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management