CVE-2023-25725

NameCVE-2023-25725
DescriptionHAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka "request smuggling." The HTTP header parsers in HAProxy may accept empty header field names, which could be used to truncate the list of HTTP headers and thus make some headers disappear after being parsed and processed for HTTP/1.0 and HTTP/1.1. For HTTP/2 and HTTP/3, the impact is limited because the headers disappear before being parsed and processed, as if they had not been sent by the client. The fixed versions are 2.7.3, 2.6.9, 2.5.12, 2.4.22, 2.2.29, and 2.0.31.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3318-1, DSA-5348-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
haproxy (PTS)jessie, jessie (lts)1.5.8-3+deb8u4fixed
stretch (security)1.7.5-2+deb9u1fixed
stretch (lts), stretch1.7.5-2+deb9u2fixed
buster (security), buster, buster (lts)1.8.19-1+deb10u5fixed
bullseye (security), bullseye2.2.9-2+deb11u6fixed
bookworm (security), bookworm2.6.12-1+deb12u1fixed
sid, trixie3.0.7-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
haproxysourcejessie(not affected)
haproxysourcestretch(not affected)
haproxysourcebuster1.8.19-1+deb10u4DLA-3318-1
haproxysourcebullseye2.2.9-2+deb11u4DSA-5348-1
haproxysource(unstable)2.6.8-2

Notes

https://git.haproxy.org/?p=haproxy-2.6.git;a=commit;h=73be199c4f5f1ed468161a4c5e10ca77cd5989d8 (v2.6.9)
[stretch] - haproxy <not-affected> (The vulnerable code was introduced later)
[jessie] - haproxy <not-affected> (The vulnerable code was introduced later)

Search for package or bug name: Reporting problems