Three HTTP Smuggling CVEs in Pingora, and How Zentinel Responded

A security researcher found four vulnerabilities in Cloudflare's Pingora framework, including three HTTP request smuggling bugs. Here's what each one means for Zentinel, how operators could have mitigated before the fix, and why we were already running the patched version before the CVEs went public.

Zentinel Upgrades to Pingora 0.8: Keepalive Limits, Stricter HTTP Framing, and a Leaner Builder API

Pingora 0.8.0 brings connection reuse limits, stricter HTTP/1 validation, upload write-pending diagnostics, and a new builder pattern for proxy services. Here's what changed in Zentinel and what operators should know.

Zentinel Upgrades to Pingora 0.7: Dropping the Fork, Gaining New Capabilities

Cloudflare's Pingora 0.7 ships connection-level filtering, extensible TLS context, and the security fixes we were carrying in a fork. Zentinel now runs on upstream Pingora with zero patches — here's what changed and what it unlocks.

pingora

Three HTTP Smuggling CVEs in Pingora, and How Zentinel Responded

Zentinel Upgrades to Pingora 0.8: Keepalive Limits, Stricter HTTP Framing, and a Leaner Builder API

Zentinel Upgrades to Pingora 0.7: Dropping the Fork, Gaining New Capabilities