Cloudflare Pingora HTTP Request Smuggling Vulnerability Allowing Cross-User Session Hijacking

A request smuggling vulnerability has been identified in Cloudflare Pingora's management of HTTP/1.1 connection upgrades. This issue arises when a Pingora proxy processes a request with an Upgrade header, allowing the proxy to forward subsequent bytes on the connection to a backend before the upgrade is accepted. Exploiting this behavior, an attacker can send a malicious payload to the backend that may be interpreted as a request header, bypassing proxy-level security measures and facilitating cross-user session hijacking. This vulnerability mainly impacts standalone Pingora deployments exposed to external traffic, enabling attackers to circumvent proxy-level access controls and web application firewall logic, cache and upstream connection poisoning, and cross-user session hijacking. Notably, Cloudflare's CDN infrastructure is not vulnerable, as its ingress proxies properly manage HTTP parsing and connection upgrades.

Impact

Exploitation allows attackers to bypass proxy-level access controls and web application firewall logic, poison caches and upstream connections, and hijack user sessions by smuggling requests that appear to come from the trusted proxy IP.

Remediation

Users of Pingora should upgrade to version 0.8.0 or higher. As a temporary measure, requests with an Upgrade header can be rejected in the request filter logic to prevent processing bytes beyond the header and disable downstream connection reuse.