GHSA-HJ7X-879W-VRP7 Pingora has HTTP Request Smuggling via HTTP/1.0 and Transfer-Encoding Misparsing

Impact Pingora versions prior to 0.8.0 improperly allowed HTTP/1.0 request bodies to be close-delimited and incorrectly handled multiple Transfer-Encoding values. This allows an attacker to desync Pingora's request framing from backend servers and smuggle requests to the backend. This vulnerabili...

CVE-2026-2835

An HTTP Request Smuggling vulnerability CWE-444 has been found in Pingora's parsing of HTTP/1.0 and Transfer-Encoding requests. The issue occurs due to improperly allowing HTTP/1.0 request bodies to be close-delimited and incorrect handling of multiple Transfer-Encoding values, allowing attackers...

CVE-2026-2835 HTTP Request Smuggling via HTTP/1.0 and Transfer-Encoding Misparsing

An HTTP Request Smuggling vulnerability CWE-444 has been found in Pingora's parsing of HTTP/1.0 and Transfer-Encoding requests. The issue occurs due to improperly allowing HTTP/1.0 request bodies to be close-delimited and incorrect handling of multiple Transfer-Encoding values, allowing attackers...

bws-web-server (>=0.1.0 <=0.1.1), pingora (>=0.1.0 <=0.6.0) +6 more potentially affected by CVE-2026-2835 via pingora-core (>=0.1.1 <=0.6.0)

pingora-core CARGO version =0.1.1, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.7 - revoke-gateway =0.3.0 - static-files-module =0.1.0 Source cves: CVE-2026-2835 Source advisory: OSV:RUSTSEC-2026-0034...