Cloudflare Pingora HTTP Request Smuggling Vulnerability

A vulnerability allowing HTTP request smuggling has been identified in Cloudflare Pingora, specifically in its handling of HTTP/1.0 requests and Transfer-Encoding headers. This issue arises from improper parsing that allows request bodies to be close-delimited and mismanagement of multiple Transfer-Encoding values. As a result, attackers can craft HTTP/1.0 requests that desynchronize Pingora's request framing from that of backend servers. This vulnerability primarily impacts standalone Pingora deployments interfacing with backends that accept HTTP/1.0 requests.

Impact

Exploitation of this vulnerability could bypass proxy-level access control and web application firewall logic, poison caches and upstream connections, leading to cross-user attacks by hijacking sessions or smuggling requests that appear to come from a trusted proxy IP.

Remediation

Users of Cloudflare Pingora should upgrade to version 0.8.0 or higher, which addresses the vulnerability by correctly parsing message length headers according to RFC 9112 and adhering to additional RFC guidelines. As a temporary measure, users can modify request filter logic to reject non-HTTP/1.1 requests, those with invalid Content-Length headers, multiple Transfer-Encoding headers, or Transfer-Encoding headers that do not exactly match 'chunked'.