Resolving a request smuggling vulnerability in Pingora

Cloudflare disclosed CVE-2025-4366: a request-smuggling vulnerability in the Pingora caching component used by a subset of free-plan CDN traffic. The bug allowed unread HTTP/1.1 request bodies on cache hits to be interpreted as the start of the next request, enabling header/URL injection; some origin servers could then return redirects to attacker-controlled hosts, exposing referrer URLs. Cloudflare disabled the vulnerable rollout, released a patch, invalidated cached assets, and advised Pingora users to upgrade to version 0.5.0 or later. No evidence of exploitation was found.