Cloudflare discovered a request smuggling vulnerability (CVE-2025-4366) in the Pingora OSS framework, which was exploited by a security researcher using Cloudflare's Content Delivery Network (CDN) free tier. The vulnerability allowed an attacker to inject malicious requests into subsequent valid requests on the same connection. This exploit could enable modifying request headers and/or URL sent to customer origins. Cloudflare quickly isolated the issue, mitigated it within 22 hours, and released a patch fix to prevent further exploitation. Customers using the caching functionality in the Pingora framework are advised to update to version 0.5.0 or later to avoid potential cache poisoning issues. The discovery highlights the importance of security testing and responsible disclosure through Cloudflare's Bug Bounty Program, which allowed for swift identification and mitigation of the vulnerability.