
HAProxy Technologies has addressed a high severity denial of service vulnerability (CVE-2025-11230) within HAProxy. This issue arises from an Inefficient Algorithm Complexity (CWE-407) in the mjson library, a dependency of HAProxy. Specially crafted JSON requests containing large values could exploit this vulnerability, leading to HAProxy's watchdog terminating the process.
This vulnerability impacts configurations using JSON parsing function on all current versions of HAProxy, including HAProxy Community Edition, HAProxy Enterprise, HAProxy ALOHA appliances, and HAProxy Kubernetes Ingress Controller.
We strongly recommend that you upgrade to the latest version if you use the following JSON parsing functions: json_query()
, jwt_header_query()
, jwt_payload_query()
. There is no workaround available other than updating HAProxy.
Vulnerability details
CVE Identifier: CVE-2025-11230
CVSSv3 Score: 7.5 (HIGH)
Description:
A flaw was discovered in how the mjson library, used by HAProxy, processes extremely large numbers. This is identified in CVE 2023-30421.
When HAProxy encounters requests containing these large numbers (e.g., 1e1000000000000000) in certain JSON parsing contexts (specifically
json_query
,jwt_header_query
, orjwt_payload_query
sample fetch methods), it can process for approximately one second before aborting.This Inefficient Algorithm Complexity (CWE-407) weakness can be used to continuously send requests to HAProxy which can cause the watchdog to terminate the process, leading to denial of service to networks running HAProxy.
Affected versions and remediation
HAProxy Technologies has released new versions of affected products which fix the issue by privately forking a more efficient method into the mjson library. The issue has also been flagged to the maintainer of the mjson library.
There is no configuration-based remediation, as this issue can appear in any application-specific areas that have JSON requests enabled, aside from removing the rules involving these converters. The only solution is to update to a fixed version.
Product | Affected branches | Fixed versions |
---|---|---|
HAProxy Community Edition | 2.4 |
|
HAProxy Enterprise | hapee-2.4r1 |
|
HAProxy ALOHA Appliance | 17.0 16.5 15.5 14.5 |
|
HAProxy Kubernetes Ingress Controller | All versions |
|
HAProxy Enterprise Kubernetes Ingress Controller | All versions |
|
Upgrade instructions
Users of affected products should upgrade immediately by pulling the latest image version for their respective release track.
Support
If you are an HAProxy customer with questions about this advisory or upgrading to the latest version, please contact our support team.
Subscribe to our blog. Get the latest release updates, tutorials, and deep-dives from HAProxy experts.