Headline

GHSA-393w-9x6h-8gc7: Pingora update for MadeYouReset HTTP/2 vulnerability

Pingora deployments that include HTTP/2 server support may be affected by the vulnerability described in CVE-2025-8671. Under certain conditions, Pingora applications may allocate buffers before the HTTP/2 reset and resulting stream cancellation is processed by the server. Repeated resets can force excessive memory consumption and lead to denial-of-service.

Impact: On affected versions, malicious clients could trigger unusually high memory consumption, which may result in service instability or process termination.

Credits: Reported responsibly by security researcher Gal Bar Nahum (@galbarnahum)

Mitigation: This issue is addressed by ensuring Pingora uses patched versions of HTTP/2 dependencies that include reset-handling safeguards to release connection resources before excessive memory buildup. Users should upgrade to the latest Pingora release, which incorporates the required fixes.

Users are requested to upgrade to latest version of Pingora >= 0.6.0

1 hour ago

ghsa

Open in Source

#vulnerability #dos #git

Impact:
On affected versions, malicious clients could trigger unusually high memory consumption, which may result in service instability or process termination.

Credits:
Reported responsibly by security researcher Gal Bar Nahum (@galbarnahum)

Mitigation:
This issue is addressed by ensuring Pingora uses patched versions of HTTP/2 dependencies that include reset-handling safeguards to release connection resources before excessive memory buildup. Users should upgrade to the latest Pingora release, which incorporates the required fixes.