Pingora HTTP Proxy Framework Cache Poisoning Vulnerability

A cache poisoning vulnerability exists in the Pingora HTTP proxy framework due to the default cache key construction, which only uses the URI path and omits critical elements like the host header. This flaw can lead to improper serving of cross-origin responses. The vulnerability affects users of Pingora's alpha proxy caching feature who rely on the default cache key implementation. An attacker could exploit this vulnerability to cause cross-tenant data leakage in multi-tenant deployments by serving cached responses from one tenant to users of another, or to poison the cache with malicious content intended for legitimate users.

Impact

Exploitation of this vulnerability could result in cache poisoning, allowing an attacker to serve malicious content to users by manipulating shared cache entries. In multi-tenant environments, this could also lead to unauthorized access to cached data from other tenants.

Remediation

Users are advised to upgrade to Pingora version 0.8.0 or higher, which addresses the vulnerability by removing the insecure default cache key implementation. After upgrading, users must implement their own cache key construction that includes the host header, the origin server's HTTP scheme, and any other relevant attributes. For those on previous versions, it is recommended to remove the default cache key usage and replace it with a custom implementation that at minimum includes the host header and the upstream peer's HTTP scheme.