Cloudflare Closes Security Gap That Could Leak Visitor URLs

Cloudflare has alerted users of a security vulnerability—tracked as CVE-2025-4366—in the widely used Pingora OSS framework. This vulnerability, a request smuggling flaw, was discovered by a security researcher while testing exploits against Cloudflare’s Content Delivery Network (CDN) free tier, which utilizes Pingora to serve cached assets. The vulnerability surfaced within the Pingora caching components—specifically in the pingora-proxy and pingora-cache crates, which provide HTTP caching functionality to improve performance on Cloudflare’s CDN. When enabled, caching allows content to be served from a storage backend, reducing bandwidth and load on origin servers. However, an HTTP/1.1 request parsing bug in Pingora’s caching logic allowed for potential request smuggling attacks. Overview of the CVE-2025-4366 Vulnerability Request smuggling exploits inconsistencies in how HTTP requests are parsed across different network components. Typically, a client’s HTTP request passes through multiple layers, such as load balancers, proxies, and servers, each parsing the request independently. If these layers interpret the request boundaries differently, such as the length of the request body, a malicious actor can craft a request that is treated as two distinct requests by different components. This discrepancy enables the attacker to “smuggle” a malicious request inside a legitimate one on the same connection. In Pingora’s case, the vulnerability occurred due to skipped request body consumption on cache hits. Normally, Pingora processes requests in a manner compliant with HTTP/1.1 standards, fully consuming request bodies or refusing to reuse connections when errors occur. But when a cached response was served, Pingora skipped this step, leaving unread data in the connection. This leftover data could be manipulated to inject a “smuggled” HTTP request, causing Pingora to misinterpret subsequent requests. Because of the vulnerability, Pingora might treat the injected “smuggled” request as part of the next request sequence, allowing attackers to alter headers or URLs seen by the origin server. Impact on Cloudflare’s CDN Free Tier Users At the time the vulnerability was identified, Cloudflare was rolling out a new Pingora proxy with caching enabled to a portion of its free CDN plan traffic. This meant that customers using the free tier or those directly employing the caching features of Pingora OSS were potentially exposed to this flaw. The most concerning impact was the ability of attackers to cause visitors to Cloudflare-hosted sites to make additional requests to attacker-controlled servers, effectively leaking which URLs the visitor had originally accessed. This attack was made possible because some vulnerable origin servers responded to the smuggled Host header with HTTP 301 redirects to the attacker’s domain, which would prompt browsers to follow the redirect and send the original URL in the Referer header. This behavior could expose sensitive browsing patterns and enable the injection of malicious content. Upon receiving notification of the vulnerability on April 11, 2025, Cloudflare’s security addressed this vulnerability. Between April 11, and April 12, they confirmed the flaw and identified the vulnerable Pingora component responsible. By April 12, preparations were underway to disable traffic to the affected proxy with caching enabled, and by 06:44 UTC that same day, traffic to the vulnerable component was fully blocked. Conclusion Cloudflare advised all users of the Pingora OSS framework—especially those leveraging the caching crates—to upgrade to version 0.5.0 or later, which includes the fix for this request smuggling vulnerability. Importantly, customers using the Cloudflare CDN free tier do not need to take any action, as the patch has already been deployed on their behalf. In a statement, Cloudflare expressed gratitude to security researchers James Kettle and Wannes Verwimp, who responsibly disclosed the flaw through the Bug Bounty Program.