Add RUSTSEC for pingora-core (CVE-2026-2835)

Author: drcaramelsyrup

crates/pingora-core/RUSTSEC-0000-0000.md

@@ -0,0 +1,24 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "pingora-core"
+date = "2026-03-04"
+# url = "https://blog.cloudflare.com/TBD" # More details to come in an upcoming Cloudflare blog post
+references = ["https://nvd.nist.gov/vuln/detail/CVE-2026-2835"]
+keywords = ["http", "request-smuggling"]
+aliases = ["CVE-2026-2835"]
+cvss = "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N"
+
+[versions]
+patched = [">= 0.8.0"]
+```
+
+# HTTP Request Smuggling via HTTP/1.0 and Transfer-Encoding Misparsing
+
+Pingora versions prior to 0.8.0 improperly allowed HTTP/1.0 request bodies to be close-delimited and incorrectly handled multiple Transfer-Encoding values. This allows an attacker to desync Pingora's request framing from backend servers and smuggle requests to the backend.
+
+This vulnerability primarily affects standalone Pingora deployments in front of certain backends that accept HTTP/1.0 requests. An attacker could exploit this to bypass proxy-level ACL controls and WAF logic, poison caches and upstream connections, or perform cross-user attacks by hijacking sessions.
+
+This flaw was corrected in commits 7f7166d62fa916b9f11b2eb8f9e3c4999e8b9023, 40c3c1e9a43a86b38adeab8da7a2f6eba68b83ad, and 87e2e2fb37edf9be33e3b1d04726293ae6bf2052 by correctly parsing message length headers per RFC 9112. Users should upgrade to Pingora >= 0.8.0.
+
+Note: Cloudflare customers and Cloudflare's CDN infrastructure were not affected by this vulnerability, as its ingress proxy layers rejected ambiguous framing such as invalid Content-Length values and internally forwarded non-ambiguous message length framing headers.