Debian Haproxy vulnerabilities

CVE-2026-26081 [LOW] CVE-2026-26081: haproxy bookworm: resolved bullseye: resolved forky: resolved (fixed in 3.2.11-2) sid: resolved (fixed in 3.2.11-2) trixie: resolved (fixed in 3.0.11-1+deb13u2)

CVE-2026-26080 [LOW] CVE-2026-26080: haproxy bookworm: resolved bullseye: resolved forky: resolved (fixed in 3.2.11-2) sid: resolved (fixed in 3.2.11-2) trixie: resolved

CVE-2025-8671 [HIGH] CVE-2025-8671: h2o - A mismatch caused by client-triggered server-sent stream resets between HTTP/2 s... A mismatch caused by client-triggered server-sent stream resets between HTTP/2 specifications and the internal architectures of some HTTP/2 implementations may result in excessive server resource consumption leading to denial-of-service (DoS). By opening streams and then rapidly triggering the server to reset them—using malformed frames or flow control errors—an attacker

CVE-2025-11230 [HIGH] CVE-2025-11230: haproxy - Inefficient algorithm complexity in mjson in HAProxy allows remote attackers to ... Inefficient algorithm complexity in mjson in HAProxy allows remote attackers to cause a denial of service via specially crafted JSON requests. Scope: local bookworm: resolved (fixed in 2.6.12-1+deb12u3) bullseye: resolved forky: resolved (fixed in 3.2.5-2) sid: resolved (fixed in 3.2.5-2) trixie: resolved (fixed in 3.0.11-1+deb13u1)

CVE-2025-32464 [MEDIUM] CVE-2025-32464: haproxy - HAProxy 2.2 through 3.1.6, in certain uncommon configurations, has a sample_conv... HAProxy 2.2 through 3.1.6, in certain uncommon configurations, has a sample_conv_regsub heap-based buffer overflow because of mishandling of the replacement of multiple short patterns with a longer one. Scope: local bookworm: resolved (fixed in 2.6.12-1+deb12u2) bullseye: resolved (fixed in 2.2.9-2+deb11u7) forky: resolved (fixed in 3.0.10-1) sid: resolved (fixed

CVE-2024-49214 [MEDIUM] CVE-2024-49214: haproxy - QUIC in HAProxy 3.1.x before 3.1-dev7, 3.0.x before 3.0.5, and 2.9.x before 2.9.... QUIC in HAProxy 3.1.x before 3.1-dev7, 3.0.x before 3.0.5, and 2.9.x before 2.9.11 allows opening a 0-RTT session with a spoofed IP address. This can bypass the IP allow/block list functionality. Scope: local bookworm: open bullseye: resolved forky: resolved (fixed in 2.9.11-1) sid: resolved (fixed in 2.9.11-1) trixie: resolved (fixed in 2.9.11-1)

CVE-2024-53008 [MEDIUM] CVE-2024-53008: haproxy - Inconsistent interpretation of HTTP requests ('HTTP Request/Response Smuggling')... Inconsistent interpretation of HTTP requests ('HTTP Request/Response Smuggling') issue exists in HAProxy. If this vulnerability is exploited, a remote attacker may access a path that is restricted by ACL (Access Control List) set on the product. As a result, the attacker may obtain sensitive information. Scope: local bookworm: open bullseye: resolved forky: resolv

CVE-2024-45506 [HIGH] CVE-2024-45506: haproxy - HAProxy 2.9.x before 2.9.10, 3.0.x before 3.0.4, and 3.1.x through 3.1-dev6 allo... HAProxy 2.9.x before 2.9.10, 3.0.x before 3.0.4, and 3.1.x through 3.1-dev6 allows a remote denial of service for HTTP/2 zero-copy forwarding (h2_send loop) under a certain set of conditions, as exploited in the wild in 2024. Scope: local bookworm: resolved bullseye: resolved forky: resolved (fixed in 2.9.10-1) sid: resolved (fixed in 2.9.10-1) trixie: resolved (fix

CVE-2023-25725 [CRITICAL] CVE-2023-25725: haproxy - HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers... HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka "request smuggling." The HTTP header parsers in HAProxy may accept empty header field names, which could be used to truncate the list of HTTP headers and thus make some headers disappear after being parsed and processed for HTTP/1.0 and

CVE-2023-45539 [HIGH] CVE-2023-45539: haproxy - HAProxy before 2.8.2 accepts # as part of the URI component, which might allow r... HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server. Scope: local bookworm: resolved (fixed in 2.6.12-1+deb12u1) bullseye: resolved (fixed in 2.2.9-2+deb11u6) forky:

CVE-2023-25950 [HIGH] CVE-2023-25950: haproxy - HTTP request/response smuggling vulnerability in HAProxy version 2.7.0, and 2.6.... HTTP request/response smuggling vulnerability in HAProxy version 2.7.0, and 2.6.1 to 2.6.7 allows a remote attacker to alter a legitimate user's request. As a result, the attacker may obtain sensitive information or cause a denial-of-service (DoS) condition. Scope: local bookworm: resolved (fixed in 2.6.8-1) bullseye: resolved forky: resolved (fixed in 2.6.8-1) sid:

CVE-2023-0836 [HIGH] CVE-2023-0836: haproxy - An information leak vulnerability was discovered in HAProxy 2.1, 2.2 before 2.2.... An information leak vulnerability was discovered in HAProxy 2.1, 2.2 before 2.2.27, 2.3, 2.4 before 2.4.21, 2.5 before 2.5.11, 2.6 before 2.6.8, 2.7 before 2.7.1. There are 5 bytes left uninitialized in the connection buffer when encoding the FCGI_BEGIN_REQUEST record. Sensitive data may be disclosed to configured FastCGI backends in an unexpected way. Scope: local bo

CVE-2023-44487 [HIGH] CVE-2023-44487: dnsdist - The HTTP/2 protocol allows a denial of service (server resource consumption) bec... The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 1.8.2-2) sid: resolved (fixed in 1.8.2-2) trixie: resolved (fixed in 1.8.2-2)

CVE-2023-40225 [HIGH] CVE-2023-40225: haproxy - HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through ... HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request. Scope: local bookworm: resolved (fix

CVE-2023-0056 [MEDIUM] CVE-2023-0056: haproxy - An uncontrolled resource consumption vulnerability was discovered in HAProxy whi... An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability. Scope: local bookworm: resolved (fixed in 2.6.8-1) bullseye: resolved (fixed in 2.2.9-2+deb11u4)

CVE-2022-0711 [HIGH] CVE-2022-0711: haproxy - A flaw was found in the way HAProxy processed HTTP responses containing the "Set... A flaw was found in the way HAProxy processed HTTP responses containing the "Set-Cookie2" header. This flaw could allow an attacker to send crafted HTTP response packets which lead to an infinite loop, eventually resulting in a denial of service condition. The highest threat from this vulnerability is availability. Scope: local bookworm: resolved (fixed in 2.4.13-1) b

CVE-2021-39242 [HIGH] CVE-2021-39242: haproxy - An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4... An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. It can lead to a situation with an attacker-controlled HTTP Host header, because a mismatch between Host and authority is mishandled. Scope: local bookworm: resolved (fixed in 2.2.16-1) bullseye: resolved (fixed in 2.2.9-2+deb11u1) forky: resolved (fixed in 2.2.16-1) sid:

CVE-2021-40346 [HIGH] CVE-2021-40346: haproxy - An integer overflow exists in HAProxy 2.0 through 2.5 in htx_add_header that can... An integer overflow exists in HAProxy 2.0 through 2.5 in htx_add_header that can be exploited to perform an HTTP request smuggling attack, allowing an attacker to bypass all configured http-request HAProxy ACLs and possibly other ACLs. Scope: local bookworm: resolved (fixed in 2.2.16-3) bullseye: resolved (fixed in 2.2.9-2+deb11u2) forky: resolved (fixed in 2.2.16-3

CVE-2021-39240 [HIGH] CVE-2021-39240: haproxy - An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4... An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. It does not ensure that the scheme and path portions of a URI have the expected characters. For example, the authority field (as observed on a target HTTP/2 server) might differ from what the routing rules were intended to achieve. Scope: local bookworm: resolved (fixed in

CVE-2021-39241 [MEDIUM] CVE-2021-39241: haproxy - An issue was discovered in HAProxy 2.0 before 2.0.24, 2.2 before 2.2.16, 2.3 bef... An issue was discovered in HAProxy 2.0 before 2.0.24, 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. An HTTP method name may contain a space followed by the name of a protected resource. It is possible that a server would interpret this as a request for that protected resource, such as in the "GET /admin? HTTP/1.1 /static/images HTTP/1.1" example. Sco