GHSA-393w-9x6h-8gc7

Source

https://github.com/advisories/GHSA-393w-9x6h-8gc7

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-393w-9x6h-8gc7/GHSA-393w-9x6h-8gc7.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-393w-9x6h-8gc7

Published

2025-09-17T20:46:50Z

Modified

2025-09-17T20:46:50Z

Severity

8.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L CVSS Calculator

Summary

Pingora update for MadeYouReset HTTP/2 vulnerability

Details

Pingora deployments that include HTTP/2 server support may be affected by the vulnerability described in CVE-2025-8671. Under certain conditions, Pingora applications may allocate buffers before the HTTP/2 reset and resulting stream cancellation is processed by the server. Repeated resets can force excessive memory consumption and lead to denial-of-service.

Impact: On affected versions, malicious clients could trigger unusually high memory consumption, which may result in service instability or process termination.

Credits: Reported responsibly by security researcher Gal Bar Nahum (@galbarnahum)

Mitigation: This issue is addressed by ensuring Pingora uses patched versions of HTTP/2 dependencies that include reset-handling safeguards to release connection resources before excessive memory buildup. Users should upgrade to the latest Pingora release, which incorporates the required fixes. - Users are requested to upgrade to latest version of Pingora >= 0.6.0

Database specific

{
    "github_reviewed": true,
    "severity": "HIGH",
    "nvd_published_at": null,
    "cwe_ids": [],
    "github_reviewed_at": "2025-09-17T20:46:50Z"
}

References

Affected packages

crates.io / pingora-core

Package

Name: pingora-core; View open source insights on deps.dev
Purl: pkg:cargo/pingora-core

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.6.0