Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-25725

HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka "request smuggling." The HTTP header parsers in HAProxy may accept empty header field names, which could be used to truncate the list of HTTP headers and thus make some headers disappear after being parsed and processed for HTTP/1.0 and HTTP/1.1. For HTTP/2 and HTTP/3, the impact is limited because the headers disappear before being parsed and processed, as if they had not been sent by the client. The fixed versions are 2.7.3, 2.6.9, 2.5.12, 2.4.22, 2.2.29, and 2.0.31.

Published

2023-02-14T19:15:11.530

Last Modified

2025-03-20T20:15:29.773

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 9.1 (CRITICAL)

Weaknesses

Type: Primary
NVD-CWE-Other
Type: Secondary
CWE-444

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	haproxy	haproxy	< 2.0.31	Yes
Application	haproxy	haproxy	< 2.2.29	Yes
Application	haproxy	haproxy	< 2.4.22	Yes
Application	haproxy	haproxy	< 2.5.12	Yes
Application	haproxy	haproxy	< 2.6.9	Yes
Application	haproxy	haproxy	< 2.7.3	Yes
Operating System	debian	debian_linux	10.0	Yes
Operating System	debian	debian_linux	11.0	Yes

References

https://git.haproxy.org/?p=haproxy-2.7.git%3Ba=commit%3Bh=a0e561ad7f29ed50c473f5a9da664267b60d1112 ([email protected])
https://lists.debian.org/debian-lts-announce/2023/02/msg00012.html Mailing List, Third Party Advisory ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FPTJQHKUEU2PQ7RWFUYAFLAD4STEIKHU/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JM5NCIBTHYDTLPY2UNC4HO2VAHHE6CJG/ ([email protected])
https://www.debian.org/security/2023/dsa-5348 Third Party Advisory ([email protected])
https://www.haproxy.org/ Product ([email protected])
https://git.haproxy.org/?p=haproxy-2.7.git%3Ba=commit%3Bh=a0e561ad7f29ed50c473f5a9da664267b60d1112 (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2023/02/msg00012.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FPTJQHKUEU2PQ7RWFUYAFLAD4STEIKHU/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JM5NCIBTHYDTLPY2UNC4HO2VAHHE6CJG/ (af854a3a-2127-422b-91ae-364da2661108)
https://www.debian.org/security/2023/dsa-5348 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.haproxy.org/ Product (af854a3a-2127-422b-91ae-364da2661108)