August 2023 - CVE-2023-40225: Empty content-length header vulnerability fixed


  • Sept 7: Updated now that AWS and Azure images are available.

The latest versions of our products fix a vulnerability related to the HTTP header Content-Length. The incorrect behavior allowed for an empty Content-Length header to pass through HAProxy to backend web servers instead of being outright rejected. Then a request containing two Content-Length headers—one empty and one perfectly valid—would be transmitted as-is to the server, and if this server incorrectly used the empty one and interpreted it as having a value of zero, this would allow the content to be taken for a new request, bypassing the inspection.

Popular web servers such as Apache and NGINX are not susceptible to such an invalid request, but other, non-compliant servers may be.

If you are using an affected product, you should upgrade to the fixed version or apply the workaround configuration detailed below.

We would like to thanks Ben Kallus of Dartmouth College and Narf Industries for reporting this issue.


If you are not able to update right away, you can apply the following rules to mitigate the issues. Add this to your exposed frontend and then restart your HAProxy instance.

frontend myfrontend
http-request deny if { hdr_len(content-length) 0 }

Affected Versions & Remediation

HAProxy Technologies released new versions of HAProxy, HAProxy Enterprise, and HAProxy ALOHA on Monday, 21 August 2023. These releases patch the vulnerability described in CVE-2023-40225 (CVSSv3 score of 7.2). Configurations running on HAProxy version 2.0 in legacy mode (no option http-use-htx), as well as end-of-life versions prior to HAProxy / HAProxy Enterprise 2.0 and HAProxy ALOHA 12.5 are not affected.

Users of the affected products should upgrade to the fixed version as soon as possible.

Amazon AMIs and Azure VHDs are available.

Affected version

Fixed version

HAProxy 2.8


HAProxy 2.7


HAProxy 2.6


HAProxy 2.4


HAProxy 2.2


HAProxy 2.0


HAProxy Enterprise 2.7r1


HAProxy Enterprise 2.6r1


HAProxy Enterprise 2.5r1


HAProxy Enterprise 2.4r1


HAProxy Enterprise 2.2r1


HAProxy Enterprise 2.0r1


HAProxy ALOHA 15.0


HAProxy ALOHA 14.5


HAProxy ALOHA 14.0


HAProxy ALOHA 13.5


HAProxy ALOHA 12.5



If you are an HAProxy Enterprise or HAProxy ALOHA customer and have questions about upgrading to the latest version or applying the configuration workaround detailed above, please get in touch with the HAProxy support team.

Subscribe to our blog. Get the latest release updates, tutorials, and deep-dives from HAProxy experts.