Listen to this Post
How the CVE Works:
The vulnerability exploits improper handling of HTTP/1.1 request bodies in Pingora’s proxying framework (pingora-proxy). When processing cached (HIT) responses, manipulated chunked encoding or malformed Content-Length headers allow smuggling malicious requests. Attackers inject crafted payloads that bypass validation, causing the proxy to misinterpret request boundaries. This leads to unauthorized requests being forwarded, enabling cache poisoning or backend request hijacking. The flaw arises from inconsistent parsing between Pingora and downstream servers, allowing header/URL tampering in subsequent connections.
DailyCVE Form:
Platform: Pingora-proxy
Version: <0.1.0
Vulnerability: Request Smuggling
Severity: Critical
Date: 2023-10-09
Prediction: Patch expected by 2023-10-20
What Undercode Say:
Check for vulnerable Pingora versions: curl -s http://target/pingora/version | grep "0.1.0" Test for smuggling via chunked encoding: printf "GET / HTTP/1.1\r\nTransfer-Encoding: chunked\r\n\r\n0\r\n\r\nGET /poison HTTP/1.1\r\nHost: target\r\n\r\n" | nc target 80
How Exploit:
- Craft HTTP/1.1 requests with conflicting
Content-Length/Transfer-Encodingheaders. - Abuse cache HITs to inject malicious payloads.
- Chain smuggled requests to hijack sessions or poison caches.
Protection from this CVE:
- Update to pingora-proxy >=0.1.0.
- Disable HTTP/1.1 connection reuse.
- Enforce strict header validation.
Impact:
- Cache poisoning.
- Unauthorized request execution.
- Session hijacking.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
