← Back
Cloudflare
Cloudflare patches HTTP request smuggling vulnerabilities in Pingora 0.8.0
Cloudflare · securityreleasebugfixopen-source · blog.cloudflare.com ↗

Security Vulnerabilities Patched

Cloudflare has released Pingora 0.8.0 to address three HTTP/1.x request smuggling vulnerabilities reported in December 2025. The vulnerabilities (CVE-2026-2833, CVE-2026-2835, and CVE-2026-2836) were responsibly disclosed by Rajat Raghav through Cloudflare's Bug Bounty Program.

Impact of the Vulnerabilities

The request smuggling issues could enable attackers to:

  • Bypass security controls: Circumvent proxy-layer access control lists (ACLs) and web application firewalls (WAF)
  • Perform session hijacking: Desync HTTP requests/responses between proxy and backend servers, allowing credential or session theft across users
  • Poison caches: Contaminate proxy-layer caches that retrieve content from shared backends

These vulnerabilities specifically affect standalone Pingora deployments exposed to the internet when used as an ingress proxy.

Technical Details

The vulnerabilities stem from Pingora's non-RFC-compliant HTTP/1 request body interpretation that allowed desync attacks. The most critical issue involved improper handling of HTTP Upgrade headers: Pingora would enter "passthrough" mode and forward subsequent bytes to the backend before receiving a 101 Switching Protocols response. An attacker could pipeline a second HTTP request after the initial upgrade request, causing the proxy and backend to disagree about request boundaries.

Additional variants of the attack exploited other edge cases in HTTP/1 body length calculations, enabling attackers to inject requests that bypass Pingora's security checks.

Cloudflare's Status

Cloudflare's own CDN and customer traffic were not affected because Pingora is not deployed as an ingress proxy in Cloudflare's production network architecture. Internal Pingora deployments also don't experience these issues due to client behavior patterns (no HTTP pipelining) and ingress proxy design differences.

Recommendation

Cloudflare strongly recommends all Pingora framework users upgrade to version 0.8.0 as soon as possible. The update includes fixes for all three vulnerability variants and additional hardening of the HTTP/1 stack to prevent similar desync attacks.