HAProxy Technologies has announced that HAProxy 2.0 or newer, HAProxy Enterprise 2.0 or newer, and HAProxy ALOHA 12.5 or newer are affected by CVE-2023-25725. If you are using an affected product you should upgrade to the latest version immediately or apply the configuration detailed below.
This vulnerability affects the header parser and permits header manipulations that might be unauthorized or dangerous.
Examples:
a transfer-encoding header may be hidden after the presence of a content-length header is confirmed and sent to another proxy
a transfer-encoding header or a content-length header may be hidden after the internal parser has confirmed its presence; in this scenario, the parser will consider the missing header to still be present.
Affected Versions and Remediation
HAProxy Technologies released new versions of HAProxy, HAProxy Enterprise, HAProxy ALOHA, and HAProxy Kubernetes Ingress Controller on Tuesday, 14 February 2023. These releases patch the vulnerability described in CVE-2023-25725.
Users of the affected products should upgrade to the fixed version as soon as possible.
HAProxy Enterprise users can follow the upgrade instructions here: https://www.haproxy.com/documentation/hapee/latest/getting-started/upgrade/linux/#update-haproxy-enterprise
HAProxy ALOHA users can follow the upgrade instructions here: https://www.haproxy.com/documentation/aloha/latest/getting-started/firmware-updates/
To upgrade HAProxy Enterprise as a Docker container, follow the instructions here: https://www.haproxy.com/documentation/hapee/latest/getting-started/upgrade/docker/
Users of container images: please note that we are currently building fixed versions of the container images. We will update this article when they are available.
Affected Version | Fixed Version |
HAProxy 2.0 | HAProxy 2.0.31 |
HAProxy 2.2 | HAProxy 2.2.29 |
HAProxy 2.4 | HAProxy 2.4.22 |
HAProxy 2.5 | HAProxy 2.5.12 |
HAProxy 2.6 | HAProxy 2.6.9 |
HAProxy 2.7 | HAProxy 2.7.3 |
HAProxy Enterprise 2.0r1 | 2.0r1-1.0.0-248.1534 |
HAProxy Enterprise 2.2r1 | 2.2r1-1.0.0-254.929 |
HAProxy Enterprise 2.4r1 | 2.4r1-1.0.0-285.1010 |
HAProxy Enterprise 2.5r1 | 2.5r1-1.0.0-285.653 |
HAProxy Enterprise 2.6r1 | 2.6r1-1.0.0-288.770 |
HAProxy ALOHA 12.5 | HAProxy ALOHA 12.5.18 |
HAProxy ALOHA 13.5 | HAProxy ALOHA 13.5.19 |
HAProxy ALOHA 14.0 | HAProxy ALOHA 14.0.11 |
HAProxy ALOHA 14.5 | HAProxy ALOHA 14.5.6 |
HAProxy Kubernetes Ingress Controller 1.7 | HAProxy Kubernetes Ingress Controller 1.7.12 |
HAProxy Kubernetes Ingress Controller 1.8 | HAProxy Kubernetes Ingress Controller 1.8.11 |
HAProxy Kubernetes Ingress Controller 1.9 | HAProxy Kubernetes Ingress Controller 1.9.3 |
HAProxy Enterprise Kubernetes Ingress Controller 1.7 | HAProxy Enterprise Kubernetes Ingress Controller 1.7.12 |
HAProxy Enterprise Kubernetes Ingress Controller 1.8 | HAProxy Enterprise Kubernetes Ingress Controller 1.8.11 |
Workaround
If you are not able to update right away, you can apply the following rules to mitigate the issues. Add this to your exposed frontend and then restart your HAProxy instance.
| frontend myfrontend | |
| http-request deny if { fc_http_major 1 } !{ req.body_size 0 } !{ req.hdr(content-length) -m found } !{ req.hdr(transfer-encoding) -m found } !{ method CONNECT } |
Support
If you are an HAProxy Enterprise or HAProxy ALOHA customer and have questions about upgrading to the latest version or applying the configuration workaround detailed above, please get in touch with the HAProxy support team.
Subscribe to our blog. Get the latest release updates, tutorials, and deep-dives from HAProxy experts.
