RUSTSEC-2025-0070: 
Rust vulnerability analysis and mitigation

RUSTSEC-2025-0070 is a security vulnerability affecting Pingora deployments with HTTP/2 server support. The vulnerability, also tracked as CVE-2025-8671, was discovered by security researcher Gal Bar Nahum and disclosed in September 2025. The issue affects Pingora-core (Rust) versions below 0.6.0 (GitHub Advisory).

The vulnerability stems from a condition where Pingora applications may allocate buffers before HTTP/2 reset and resulting stream cancellation is processed by the server. This implementation flaw can lead to memory management issues when handling HTTP/2 connections. The vulnerability has received a CVSS v4 score of 8.2 (High severity), with attack vectors being network-based, low complexity, and requiring no privileges or user interaction (GitHub Advisory).

When exploited, this vulnerability can cause malicious clients to trigger unusually high memory consumption in affected systems. This can result in service instability or process termination, effectively creating a denial-of-service condition (GitHub Advisory).

The vulnerability has been patched in Pingora version 0.6.0 and later releases. The fix includes implementing reset-handling safeguards to release connection resources before excessive memory buildup can occur. Users are strongly advised to upgrade to version 0.6.0 or later to address this security issue (GitHub Advisory).