Vulnerability Database

Pingora deployments that include HTTP/2 server support may be affected by the vulnerability described in CVE-2025-8671. Under certain conditions, Pingora applications may allocate buffers before the HTTP/2 reset and resulting stream cancellation is processed by the server. Repeated resets can force excessive memory consumption and lead to denial-of-service.

Impact: On affected versions, malicious clients could trigger unusually high memory consumption, which may result in service instability or process termination.

Credits: Reported responsibly by security researcher Gal Bar Nahum (@galbarnahum)

Mitigation: This issue is addressed by ensuring Pingora uses patched versions of HTTP/2 dependencies that include reset-handling safeguards to release connection resources before excessive memory buildup. Users should upgrade to the latest Pingora release, which incorporates the required fixes.

• Users are requested to upgrade to latest version of Pingora >= 0.6.0