RUSTSEC-2025-0070
- Source
- https://rustsec.org/advisories/RUSTSEC-2025-0070
- Import Source
- https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2025-0070.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/RUSTSEC-2025-0070
- Aliases
-
- CVE-2025-8671
- GHSA-mrjm-qq9m-9mjq
- Published
- 2025-09-17T12:00:00Z
- Modified
- 2025-09-18T07:42:21.604002Z
- Summary
- Pingora MadeYouReset HTTP/2 vulnerability
- Details
-
Pingora deployments using versions prior to 0.6.0 that include HTTP/2 server support may be affected by the vulnerability described in CVE-2025-8671. Under certain conditions, Pingora applications may allocate buffers before the HTTP/2 reset and resulting stream cancellation is processed by the server. Repeated resets can force excessive memory consumption and lead to denial-of-service.
On affected versions, malicious clients could trigger unusually high memory consumption, which may result in service instability or process termination.
This issue is addressed by ensuring Pingora uses patched versions of HTTP/2 dependencies that include reset-handling safeguards to release connection resources before excessive memory buildup. Users are requested to upgrade to versions >= 0.6.0, which incorporates the required fixes.
- Database specific
{ "license": "CC0-1.0" }- References
-
- https://crates.io/crates/pingora-core
- https://rustsec.org/advisories/RUSTSEC-2025-0070.html
- https://github.com/cloudflare/pingora/security/advisories/GHSA-393w-9x6h-8gc7
- https://nvd.nist.gov/vuln/detail/CVE-2025-8671
- https://blog.cloudflare.com/madeyoureset-an-http-2-vulnerability-thwarted-by-rapid-reset-mitigations/
Affected packages
crates.io / pingora-core
Package
- Name
- pingora-core
- View open source insights on deps.dev
- Purl
- pkg:cargo/pingora-core