Reported

September 17, 2025

Issued

September 18, 2025

Package

pingora-core (crates.io)

Type

Vulnerability

Categories

• denial-of-service

Keywords

#http #http2 #h2

Aliases

• CVE-2025-8671

References

• https://github.com/cloudflare/pingora/security/advisories/GHSA-393w-9x6h-8gc7
• https://nvd.nist.gov/vuln/detail/CVE-2025-8671
• https://blog.cloudflare.com/madeyoureset-an-http-2-vulnerability-thwarted-by-rapid-reset-mitigations/

Patched

• >=0.6.0

Description

Pingora deployments using versions prior to 0.6.0 that include HTTP/2 server support may be affected by the vulnerability described in CVE-2025-8671. Under certain conditions, Pingora applications may allocate buffers before the HTTP/2 reset and resulting stream cancellation is processed by the server. Repeated resets can force excessive memory consumption and lead to denial-of-service.

On affected versions, malicious clients could trigger unusually high memory consumption, which may result in service instability or process termination.

This issue is addressed by ensuring Pingora uses patched versions of HTTP/2 dependencies that include reset-handling safeguards to release connection resources before excessive memory buildup. Users are requested to upgrade to versions >= 0.6.0, which incorporates the required fixes.

Advisory available under CC0-1.0 license.