GHSA-393w-9x6h-8gc7: 
Rust vulnerability analysis and mitigation

The MadeYouReset HTTP/2 vulnerability (GHSA-393w-9x6h-8gc7) affects Pingora deployments with HTTP/2 server support, discovered and disclosed on September 17, 2025. The vulnerability impacts Pingora-core (Rust) versions below 0.6.0, where applications may allocate buffers before HTTP/2 reset and stream cancellation processing, potentially leading to security issues (GitHub Advisory).

The vulnerability has been assigned a high severity rating with a CVSS score of 8.2. The CVSS metrics indicate a network-based attack vector with low complexity, requiring no privileges or user interaction. The vulnerability specifically affects the HTTP/2 implementation, where buffer allocation occurs before proper reset handling, potentially leading to resource exhaustion (GitHub Advisory).

When exploited, the vulnerability can cause unusually high memory consumption in affected systems, potentially resulting in service instability or process termination. The CVSS impact metrics show high impact on system availability while maintaining no direct impact on confidentiality or integrity (GitHub Advisory).

The vulnerability has been patched in Pingora version 0.6.0 and later releases. The fix includes updated HTTP/2 dependencies with reset-handling safeguards to properly release connection resources before excessive memory buildup can occur. Users are strongly advised to upgrade to Pingora version 0.6.0 or higher to address this security issue (GitHub Release).