GHSA-393w-9x6h-8gc7: Pingora update for MadeYouReset HTTP/2 vulnerability

September 17, 2025 (updated November 10, 2025)

Pingora deployments that include HTTP/2 server support may be affected by the vulnerability described in CVE-2025-8671. Under certain conditions, Pingora applications may allocate buffers before the HTTP/2 reset and resulting stream cancellation is processed by the server. Repeated resets can force excessive memory consumption and lead to denial-of-service.

Impact: On affected versions, malicious clients could trigger unusually high memory consumption, which may result in service instability or process termination.

Credits: Reported responsibly by security researcher Gal Bar Nahum (@galbarnahum)

Mitigation: This issue is addressed by ensuring Pingora uses patched versions of HTTP/2 dependencies that include reset-handling safeguards to release connection resources before excessive memory buildup. Users should upgrade to the latest Pingora release, which incorporates the required fixes.

Users are requested to upgrade to latest version of Pingora >= 0.6.0

References

Code Behaviors & Features

Detect and mitigate GHSA-393w-9x6h-8gc7 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →