CVE-2023-25725 — HTTP Request Smuggling in Haproxy

CWE-444 — HTTP Request Smuggling8 documents8 sources

Severity

9.1CRITICALNVD

EPSS

20.0%

top 4.51%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Haproxy Debian Haproxy Debian Linux +6 more

Timeline

PublishedFeb 14

Latest updateDec 3

Description

HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka "request smuggling." The HTTP header parsers in HAProxy may accept empty header field names, which could be used to truncate the list of HTTP headers and thus make some headers disappear after being parsed and processed for HTTP/1.0 and HTTP/1.1. For HTTP/2 and HTTP/3, the impact is limited because the headers disappear before being parsed and processed, as if they had …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:HExploitability: 3.9 | Impact: 5.2

Affected Packages9 packages

▶debiandebian/haproxy< haproxy 2.6.8-2 (bookworm)

▶NVDhaproxy/haproxy2.1.0 — 2.2.29+5

▶Debianhaproxy/haproxy< 2.2.9-2+deb11u4+3

▶msrcmsrc/cm1_haproxy_2.1.5-2_on_cbl_mariner_1.0

▶msrcmsrc/cbl2_haproxy_2.4.22-1_on_cbl_mariner_2.0

Also affects: Debian Linux 10.0, 11.0

🔴Vulnerability Details

GHSA

GHSA-h2p2-w857-329f: HAProxy before 2↗2023-02-14

▶

OSV

CVE-2023-25725: HAProxy before 2↗2023-02-14

▶

📋Vendor Advisories

Ubuntu

HAProxy vulnerability↗2024-12-03

▶

Red Hat

haproxy: request smuggling attack in HTTP/1 header parsing↗2023-02-14

▶

Microsoft

HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations aka "request smuggling." The HTTP header parsers in HAProxy may accept empty ↗2023-02-14

▶

Debian

CVE-2023-25725: haproxy - HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers...↗2023

▶

📄Research Papers

arXiv

Securing an Application Layer Gateway: An Industrial Case Study↗2024-01-11

▶