CVE-2023-25725
First published: Sat Feb 11 2023(Updated: )
HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka "request smuggling." The HTTP header parsers in HAProxy may accept empty header field names, which could be used to truncate the list of HTTP headers and thus make some headers disappear after being parsed and processed for HTTP/1.0 and HTTP/1.1. For HTTP/2 and HTTP/3, the impact is limited because the headers disappear before being parsed and processed, as if they had not been sent by the client. The fixed versions are 2.7.3, 2.6.9, 2.5.12, 2.4.22, 2.2.29, and 2.0.31.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/haproxy | <0:2.4.17-3.el9_1.2 | 0:2.4.17-3.el9_1.2 |
| redhat/haproxy | <0:2.4.7-2.el9_0.2 | 0:2.4.7-2.el9_0.2 |
| redhat/haproxy | <0:2.2.19-4.el8 | 0:2.2.19-4.el8 |
| redhat/haproxy | <0:2.2.24-3.rhaos4.11.el8 | 0:2.2.24-3.rhaos4.11.el8 |
| redhat/haproxy | <0:2.2.24-3.rhaos4.12.el8 | 0:2.2.24-3.rhaos4.12.el8 |
| redhat/haproxy | <0:2.2.24-3.rhaos4.13.el8 | 0:2.2.24-3.rhaos4.13.el8 |
| Haproxy Haproxy | <2.0.31 | |
| Haproxy Haproxy | >=2.1.0<2.2.29 | |
| Haproxy Haproxy | >=2.3.0<2.4.22 | |
| Haproxy Haproxy | >=2.5.0<2.5.12 | |
| Haproxy Haproxy | >=2.6.0<2.6.9 | |
| Haproxy Haproxy | >=2.7.0<2.7.3 | |
| Debian Debian Linux | =10.0 | |
| Debian Debian Linux | =11.0 | |
| redhat/HAProxy | <2.0.31 | 2.0.31 |
| redhat/HAProxy | <2.2.29 | 2.2.29 |
| redhat/HAProxy | <2.4.22 | 2.4.22 |
| redhat/HAProxy | <2.5.12 | 2.5.12 |
| redhat/HAProxy | <2.6.9 | 2.6.9 |
| redhat/HAProxy | <2.7.3 | 2.7.3 |
| redhat/HAProxy | <2.8 | 2.8 |
| debian/haproxy | 2.2.9-2+deb11u6 2.6.12-1+deb12u1 2.9.12-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2023-25725 https://nvd.nist.gov/vuln/detail/CVE-2023-25725 https://www.haproxy.com/blog/february-2023-header-parser-fixed/ https://www.mail-archive.com/haproxy@formilux.org/msg43229.html
- https://bugzilla.redhat.com/show_bug.cgi?id=2169089
- https://access.redhat.com/errata/RHSA-2023:1696
- https://access.redhat.com/errata/RHSA-2023:1978
- https://access.redhat.com/errata/RHSA-2023:1655
- https://access.redhat.com/errata/RHBA-2023:1649
- https://access.redhat.com/errata/RHSA-2023:1268
- https://access.redhat.com/errata/RHSA-2023:1325
- https://access.redhat.com/security/cve/CVE-2023-25725
- https://git.haproxy.org/?p=haproxy-2.7.git;a=commit;h=a0e561ad7f29ed50c473f5a9da664267b60d1112
- https://lists.debian.org/debian-lts-announce/2023/02/msg00012.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FPTJQHKUEU2PQ7RWFUYAFLAD4STEIKHU/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JM5NCIBTHYDTLPY2UNC4HO2VAHHE6CJG/
- https://www.debian.org/security/2023/dsa-5348
- https://www.haproxy.org/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2169823
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2170060
- https://access.redhat.com/security/cve/cve-2023-25725
- https://security-tracker.debian.org/tracker/CVE-2023-25725
- https://www.mail-archive.com/haproxy@formilux.org/msg43229.html
- https://access.redhat.com/errata/RHSA-2024:0746
- https://git.haproxy.org/?p=haproxy-2.6.git;a=commit;h=73be199c4f5f1ed468161a4c5e10ca77cd5989d8
- https://git.haproxy.org/?p=haproxy-2.7.git%3Ba=commit%3Bh=a0e561ad7f29ed50c473f5a9da664267b60d1112
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FPTJQHKUEU2PQ7RWFUYAFLAD4STEIKHU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JM5NCIBTHYDTLPY2UNC4HO2VAHHE6CJG/
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2023-25725?
CVE-2023-25725 is a vulnerability in HAProxy that allows bypass of access control through request smuggling.
What is the severity of CVE-2023-25725?
CVE-2023-25725 has a severity rating of 9.1 (Critical).
How does CVE-2023-25725 affect HAProxy?
CVE-2023-25725 affects HAProxy versions before 2.7.3 and may cause the loss of important HTTP/1 headers, leading to a bypass of access control.
How can I fix CVE-2023-25725?
To fix CVE-2023-25725, update HAProxy to version 2.7.3 or later.
Where can I find more information about CVE-2023-25725?
You can find more information about CVE-2023-25725 at the following references: [Bugzilla - 2169823](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2169823), [Bugzilla - 2170060](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2170060), [Red Hat Security Advisory - CVE-2023-25725](https://access.redhat.com/security/cve/CVE-2023-25725).
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/weakness
- agent/author
- agent/severity
- agent/description
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-25725
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/references
- agent/tags
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- package-manager/redhat
- vendor/haproxy
- canonical/haproxy haproxy
- version/haproxy haproxy/2.1.0
- version/haproxy haproxy/2.3.0
- version/haproxy haproxy/2.5.0
- version/haproxy haproxy/2.6.0
- version/haproxy haproxy/2.7.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/10.0
- version/debian debian linux/11.0
- package-manager/debian