Lucene search
K

73 matches found

OSV
OSV
added 2026/03/04 12:0 p.m.6 views

RUSTSEC-2026-0035 Cache poisoning via insecure-by-default cache key

Pingora versions prior to 0.8.0 generated cache keys using only the URI path, excluding critical factors such as the host header. This allows an attacker to poison the cache and serve cross-origin responses to users. This vulnerability affects users of Pingora's alpha proxy caching feature who...

8.4CVSS6AI score0.00394EPSS
Exploits0References4
vulnersOsv
vulnersOsv
added 2026/03/04 12:0 p.m.5 views

bws-web-server (>=0.1.0 <=0.1.1), pingora (>=0.1.0 <=0.6.0) +6 more potentially affected by CVE-2026-2835 via pingora-core (>=0.1.1 <=0.6.0)

pingora-core CARGO version =0.1.1, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.7 - revoke-gateway =0.3.0 - static-files-module =0.1.0 Source cves: CVE-2026-2835 Source advisory: OSV:RUSTSEC-2026-0034...

9.3CVSS6.7AI score0.00707EPSS
Exploits0
vulnersOsv
vulnersOsv
added 2026/03/04 12:0 p.m.4 views

bws-web-server (>=0.1.0 <=0.1.1), pingora (>=0.1.0 <=0.6.0) +6 more potentially affected by CVE-2026-2833 via pingora-core (>=0.1.1 <=0.6.0)

pingora-core CARGO version =0.1.1, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.7 - revoke-gateway =0.3.0 - static-files-module =0.1.0 Source cves: CVE-2026-2833 Source advisory: OSV:RUSTSEC-2026-0033...

9.3CVSS6.7AI score0.00666EPSS
Exploits0
RustSec
RustSec
added 2026/03/04 12:0 p.m.11 views

HTTP Request Smuggling via Premature Upgrade

Pingora versions prior to 0.8.0 would immediately forward bytes following a request with an Upgrade header to the backend, without waiting for a 101 Switching Protocols response. This allows an attacker to smuggle requests to the backend and bypass proxy-level security controls. This vulnerabilit...

9.3CVSS6AI score0.00666EPSS
Exploits0Affected Software1
RustSec
RustSec
added 2026/03/04 12:0 p.m.12 views

HTTP Request Smuggling via HTTP/1.0 and Transfer-Encoding Misparsing

Pingora versions prior to 0.8.0 improperly allowed HTTP/1.0 request bodies to be close-delimited and incorrectly handled multiple Transfer-Encoding values. This allows an attacker to desync Pingora's request framing from backend servers and smuggle requests to the backend. This vulnerability...

9.3CVSS5.9AI score0.00707EPSS
Exploits0Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/04 12:0 a.m.4 views

PT-2026-23082

Name of the Vulnerable Software and Affected Versions Pingora versions prior to 0.8.0 Description A cache poisoning issue exists in the Pingora HTTP proxy framework’s default cache key construction. The default HTTP cache key implementation generates cache keys using only the URI path, excluding...

8.4CVSS5.8AI score0.00394EPSS
Exploits0References15
Positive Technologies
Positive Technologies
added 2026/03/04 12:0 a.m.10 views

PT-2026-23081

Name of the Vulnerable Software and Affected Versions Pingora versions prior to 0.8.0 Description An HTTP Request Smuggling issue exists due to improper parsing of HTTP/1.0 and Transfer-Encoding requests. The issue arises from allowing HTTP/1.0 request bodies to be close-delimited and incorrect...

9.3CVSS5.8AI score0.00707EPSS
Exploits0References22
Positive Technologies
Positive Technologies
added 2026/03/04 12:0 a.m.2 views

PT-2026-23080

Name of the Vulnerable Software and Affected Versions Pingora versions prior to 0.8.0 Description An HTTP request smuggling issue CWE-444 exists in Pingora's handling of HTTP/1.1 connection upgrades. The issue arises when the proxy reads a request with an Upgrade header and forwards the remaining...

9.3CVSS5.8AI score0.00666EPSS
Exploits0References19
EUVD
EUVD
added 2025/10/03 8:7 p.m.5 views

EUVD-2025-16165

Malicious code in bioql PyPI...

7.4CVSS6.5AI score0.00423EPSS
Exploits0References6
EUVD
EUVD
added 2025/10/03 8:7 p.m.4 views

EUVD-2025-29371

Malicious code in bioql PyPI...

7.4CVSS6.5AI score0.00423EPSS
Exploits0References4
vulnersOsv
vulnersOsv
added 2025/09/17 8:46 p.m.8 views

pingora (>=0.1.0 <=0.5.0), pingora-cache (>=0.1.0 <=0.5.0) +4 more potentially affected by unknown CVE via pingora-core (>=0.1.1 <=0.5.0)

pingora-core CARGO version =0.1.1, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.5.0 - revoke-gateway =0.3.0 - static-files-module =0.1.0 Source cves: unknown CVE Source advisory: OSV:GHSA-393W-9X6H-8GC7...

5.8AI score
Exploits0
OSV
OSV
added 2025/09/17 8:46 p.m.3 views

GHSA-393W-9X6H-8GC7 Pingora update for MadeYouReset HTTP/2 vulnerability

Pingora deployments that include HTTP/2 server support may be affected by the vulnerability described in CVE-2025-8671. Under certain conditions, Pingora applications may allocate buffers before the HTTP/2 reset and resulting stream cancellation is processed by the server. Repeated resets can for...

8.2CVSS6.8AI score
Exploits0References3
Github Security Blog
Github Security Blog
added 2025/09/17 8:46 p.m.13 views

Pingora update for MadeYouReset HTTP/2 vulnerability

Pingora deployments that include HTTP/2 server support may be affected by the vulnerability described in CVE-2025-8671. Under certain conditions, Pingora applications may allocate buffers before the HTTP/2 reset and resulting stream cancellation is processed by the server. Repeated resets can for...

7.5CVSS6.8AI score0.04604EPSS
Exploits3References3Affected Software1
vulnersOsv
vulnersOsv
added 2025/09/17 12:0 p.m.5 views

pingora (>=0.1.0 <=0.5.0), pingora-cache (>=0.1.0 <=0.5.0) +4 more potentially affected by CVE-2025-8671 via pingora-core (>=0.1.1 <=0.5.0)

pingora-core CARGO version =0.1.1, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.5.0 - revoke-gateway =0.3.0 - static-files-module =0.1.0 Source cves: CVE-2025-8671 Source advisory: OSV:RUSTSEC-2025-0070...

7.5CVSS6AI score0.04604EPSS
Exploits3
OSV
OSV
added 2025/09/17 12:0 p.m.5 views

RUSTSEC-2025-0070 Pingora MadeYouReset HTTP/2 vulnerability

Pingora deployments using versions prior to 0.6.0 that include HTTP/2 server support may be affected by the vulnerability described in CVE-2025-8671. Under certain conditions, Pingora applications may allocate buffers before the HTTP/2 reset and resulting stream cancellation is processed by the...

7.5CVSS6.8AI score0.04604EPSS
Exploits3References5
RustSec
RustSec
added 2025/09/17 12:0 p.m.11 views

Pingora MadeYouReset HTTP/2 vulnerability

Pingora deployments using versions prior to 0.6.0 that include HTTP/2 server support may be affected by the vulnerability described in CVE-2025-8671. Under certain conditions, Pingora applications may allocate buffers before the HTTP/2 reset and resulting stream cancellation is processed by the...

7.5CVSS6.8AI score0.04604EPSS
Exploits3Affected Software1
OSV
OSV
added 2025/06/20 6:7 p.m.5 views

GHSA-93C7-7XQW-W357 Pingora has a Request Smuggling Vulnerability

A request smuggling vulnerability identified within Pingora’s proxying framework, pingora-proxy, allows malicious HTTP requests to be injected via manipulated request bodies on cache HITs, leading to unauthorized request execution and potential cache poisoning. Fixed in...

7.4CVSS7.1AI score0.00423EPSS
Exploits0References6
Github Security Blog
Github Security Blog
added 2025/06/20 6:7 p.m.8 views

Pingora has a Request Smuggling Vulnerability

A request smuggling vulnerability identified within Pingora’s proxying framework, pingora-proxy, allows malicious HTTP requests to be injected via manipulated request bodies on cache HITs, leading to unauthorized request execution and potential cache poisoning. Fixed in...

7.4CVSS6.3AI score0.00423EPSS
Exploits0References6Affected Software1
vulnersOsv
vulnersOsv
added 2025/06/20 6:7 p.m.6 views

pingora (>=0.1.0 <=0.4.0), pingora-cache (>=0.1.0 <=0.4.0) +3 more potentially affected by CVE-2025-4366 via pingora-core (>=0.1.1 <=0.4.0)

pingora-core CARGO version =0.1.1, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.4.0 - static-files-module =0.1.0 Source cves: CVE-2025-4366 Source advisory: OSV:GHSA-93C7-7XQW-W357...

7.4CVSS6AI score0.00423EPSS
Exploits0
OSV
OSV
added 2025/05/22 8:25 p.m.6 views

GHSA-3QMP-G57H-RXF2 Duplicate Advisory: Pingora Request Smuggling and Cache Poisoning

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-93c7-7xqw-w357. This link is maintained to preserve external references. Original Description Pingora versions prior to 0.5.0 which used the caching functionality in pingora-proxy did not properly drain the...

7.4CVSS6.2AI score0.00423EPSS
Exploits0References4
Rows per page
Query Builder