Fixing request smuggling vulnerabilities in Pingora OSS deployments

In December 2025, Cloudflare was alerted to HTTP/1.x request smuggling vulnerabilities in the Pingora open-source framework when used as an ingress proxy, identified as CVE-2026-2833, CVE-2026-2835, and CVE-2026-2836. These vulnerabilities, reported by Rajat Raghav through a bug bounty program, were found not to affect Cloudflare's CDN due to its architecture but posed risks for standalone Pingora deployments exposed to the internet. The vulnerabilities could allow attackers to bypass security controls, desynchronize HTTP requests/responses, and poison proxy-layer caches. Pingora 0.8.0 was released with fixes to these vulnerabilities, and Cloudflare recommended users of Pingora upgrade promptly despite no detected impact on Cloudflare customers. The vulnerabilities involved improper handling of Upgrade requests, incorrect parsing of HTTP/1.0 requests with Transfer-Encoding, and default cache key construction flaws. Cloudflare's internal investigations confirmed that its services were not vulnerable due to strict RFC compliance and additional security layers, while the company emphasized the importance of adhering to RFC standards to enhance security and promote best practices across the internet.