rustsec-2025-0070
Vulnerability from osv_rustsec
Pingora deployments using versions prior to 0.6.0 that include HTTP/2 server support may be affected by the vulnerability described in CVE-2025-8671. Under certain conditions, Pingora applications may allocate buffers before the HTTP/2 reset and resulting stream cancellation is processed by the server. Repeated resets can force excessive memory consumption and lead to denial-of-service.
On affected versions, malicious clients could trigger unusually high memory consumption, which may result in service instability or process termination.
This issue is addressed by ensuring Pingora uses patched versions of HTTP/2 dependencies that include reset-handling safeguards to release connection resources before excessive memory buildup. Users are requested to upgrade to versions >= 0.6.0, which incorporates the required fixes.
{
"affected": [
{
"database_specific": {
"categories": [
"denial-of-service"
],
"cvss": null,
"informational": null
},
"ecosystem_specific": {
"affected_functions": null,
"affects": {
"arch": [],
"functions": [],
"os": []
}
},
"package": {
"ecosystem": "crates.io",
"name": "pingora-core",
"purl": "pkg:cargo/pingora-core"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0-0"
},
{
"fixed": "0.6.0"
}
],
"type": "SEMVER"
}
],
"versions": []
}
],
"aliases": [
"CVE-2025-8671"
],
"database_specific": {
"license": "CC0-1.0"
},
"details": "Pingora deployments using versions prior to 0.6.0 that include HTTP/2 server support may be affected by the vulnerability described in CVE-2025-8671. Under certain conditions, Pingora applications may allocate buffers before the HTTP/2 reset and resulting stream cancellation is processed by the server. Repeated resets can force excessive memory consumption and lead to denial-of-service.\n\nOn affected versions, malicious clients could trigger unusually high memory consumption, which may result in service instability or process termination.\n\nThis issue is addressed by ensuring Pingora uses patched versions of HTTP/2 dependencies that include reset-handling safeguards to release connection resources before excessive memory buildup. Users are requested to upgrade to versions \u003e= 0.6.0, which incorporates the required fixes.",
"id": "RUSTSEC-2025-0070",
"modified": "2025-09-18T07:10:31Z",
"published": "2025-09-17T12:00:00Z",
"references": [
{
"type": "PACKAGE",
"url": "https://crates.io/crates/pingora-core"
},
{
"type": "ADVISORY",
"url": "https://rustsec.org/advisories/RUSTSEC-2025-0070.html"
},
{
"type": "ADVISORY",
"url": "https://github.com/cloudflare/pingora/security/advisories/GHSA-393w-9x6h-8gc7"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8671"
},
{
"type": "WEB",
"url": "https://blog.cloudflare.com/madeyoureset-an-http-2-vulnerability-thwarted-by-rapid-reset-mitigations/"
}
],
"related": [],
"severity": [],
"summary": "Pingora MadeYouReset HTTP/2 vulnerability"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.