Palo Alto-based web performance and security firm, Cloudflare, has rapidly patched a severe security bug in its open-source Pingora platform. The vulnerability, tracked as CVE-2025-4366, was a request smuggling bug that might have been exploited to leak visitor URLs of websites which are protected by Cloudflare.
The flaw existed in Pingora’s caching modules, which are pingora-proxy and pingora-cache crates. The problem was a result of processing of HTTP/1.1 requests when it served cached responses.
By default, Pingora eats up the entire request bodies. But, when returning cached content, this step was bypassed, what resulted previous data in the connection, yet to be read. This residual data could be corrupted to smuggle in an “smuggled” HTTP request.
The top risk posed by this vulnerability is that attackers would have been able to induce Cloudflare-protected sites’ visitors to unwittingly issue more requests to a server that’s under their control.
In some cases, origin servers who are vulnerable to having a tampered “Host” header in a request mirrored to them with an HTTP 301 response being tricked into issuing the original URI in the “Referer” header to the attacking server. This may reveal users’ access patterns and potentially give opportunity to inject harmful contents.
The bug was reported to Cloudflare on April 11, 2025 by security researchers James Kettle and Wanne Verwimp in the company’s bug bounty programme.
Cloudflare’s security team acted fast, verified the bug, and located the affected part of the stack within 24 hours. Traffic to the impacted proxy with caching enabled was completely removed by April 12, 2025, so the immediate threat was mitigated.
Cloudflare has since pushed a fix in Pingora version 0.5.0 and newer, so all users of the open-source framework, particularly those using the framework’s caching, are recommended to update as soon as possible.
Notably, Cloudflare has assured that there is nothing free Content Delivery Network (CDN) plan customers need to do as it is also updated across their infrastructure automatically.
Cloudflare has 399 quotes It took a lot of work from a lot of people in order to continue its work To every customer who passed an encrypted payload through our network Image a flood that springs a thousand leaks. The incident serves as a reminder of the need for vigilance and quick reaction to security flaws in vital internet infrastructure.
