Cloudflare has alerted users of a security vulnerability—tracked as CVE-2025-4366—in the widely used Pingora OSS framework. This vulnerability, a request smuggling flaw, was discovered by a security researcher while testing exploits against Cloudflare’s Content Delivery Network (CDN) free tier, which utilizes Pingora to serve cached assets.  The vulnerability surfaced within the Pingora caching components—specifically in the pingora-proxy and pingora-cache crates, which provide HTTP caching functionality to improve performance on Cloudflare’s CDN. When enabled, caching allows content to be served from a storage backend, reducing bandwidth and load on origin servers. However, an HTTP/1.1 request parsing bug in Pingora’s caching logic allowed for potential request smuggling attacks.