Cloudflare has announced the successful elimination of three vulnerabilities in the Pingora framework, with two of them posing a critical level of danger (9.3 out of 10). Pingora framework, written in Rust, is specifically developed for creating secure, high-performance network services. The proxy system, powered by Pingora, is utilised on the Cloudflare content delivery network, managing over 40 million requests per second. The latest release Pingora 0.8.0 includes fixes for these vulnerabilities.
Among the identified vulnerabilities, the most critical ones allow for “HTTP Request Smuggling” attacks, facilitating the circumvention of access restriction systems and enabling attackers to inject malicious code into other users’ requests processed within the same thread. These issues were discovered by a participant in the Bug Bounty program, which rewards individuals for identifying vulnerabilities.
In a setup involving backend access through a reverse proxy, client requests are initially received by an additional node, establishing a persistent TCP connection with the backend for direct request processing. This common connection often transmits requests from different users sequentially, separated by HTTP protocol means.
http Request Smuggling attacks are a result of conflicting interpretations of HTTP headers between frontends and backends, such as when the frontend interprets the “Content-Length” header for request size determination, while the backend uses “Transfer-Encoding: chunked”.
The first vulnerability, identified as CVE-2026-2835, stems from flaws in the HTTP/1.0 request parsing code. It arises due to mishandling of the “Transfer-Encoding” header with multiple values, and improper recognition of connection closure as a signal for the end of the request body. Pingora previously only verified the “Transfer-Encoding: chunked” option and overlooked the header if it contained multiple values. Consequently, Pingora failed to consider the size in the “Content-Length” header, treating all data received before connection closure as the request body.