October 2025 – CVE-2025-11230: denial of service vulnerability in HAProxy mjson library

HAProxy Technologies has addressed a high severity denial of service vulnerability (CVE-2025-11230) within HAProxy. This issue arises from an Inefficient Algorithm Complexity (CWE-407) in the mjson library, a dependency of HAProxy. Specially crafted JSON requests containing large values could exploit this vulnerability, leading to HAProxy's watchdog terminating the process.

This vulnerability impacts configurations using JSON parsing function on all current versions of HAProxy, including HAProxy Community Edition, HAProxy Enterprise, HAProxy ALOHA appliances, and HAProxy Kubernetes Ingress Controller.

We strongly recommend that you upgrade to the latest version if you use the following JSON parsing functions: json_query(), jwt_header_query(), jwt_payload_query(). There is no workaround available other than updating HAProxy.

Vulnerability details

• CVE Identifier: CVE-2025-11230

• CVSSv3 Score: 7.5 (HIGH)

• Description: 

  • A flaw was discovered in how the mjson library, used by HAProxy, processes extremely large numbers. This is identified in CVE 2023-30421.

  • When HAProxy encounters requests containing these large numbers (e.g., 1e1000000000000000) in certain JSON parsing contexts (specifically json_query, jwt_header_query, or jwt_payload_query sample fetch methods), it can process for approximately one second before aborting.

  • This Inefficient Algorithm Complexity (CWE-407) weakness can be used to continuously send requests to HAProxy which can cause the watchdog to terminate the process, leading to denial of service to networks running HAProxy.

Affected versions and remediation

HAProxy Technologies has released new versions of affected products which fix the issue by privately forking a more efficient method into the mjson library. The issue has also been flagged to the maintainer of the mjson library.

There is no configuration-based remediation, as this issue can appear in any application-specific areas that have JSON requests enabled, aside from removing the rules involving these converters. The only solution is to update to a fixed version.

Product	Affected branches	Fixed versions
HAProxy Community Edition	2.4 2.6 2.8 3.0 3.1 3.2	2.4.30 2.6.23 2.8.16 3.0.12 3.1.9 3.2.6
HAProxy Enterprise	hapee-2.4r1 hapee-2.6r1 hapee-2.8r1 hapee-3.0r1 hapee-3.1r1	hapee-2.4r1-lb-1.0.0-294.1446 hapee-2.6r1-lb-1.0.0-301.1704 hapee-2.8r1-lb-1.0.0-327.1146 hapee-3.0r1-lb-1.0.0-346.795 hapee-3.1r1-lb-1.0.0-349.585
HAProxy ALOHA Appliance	17.0 16.5 15.5 14.5	17.0.7 16.5.19 15.5.28 14.5.33
HAProxy Kubernetes Ingress Controller	All versions	v3.1.12
HAProxy Enterprise Kubernetes Ingress Controller	All versions	v1.9.14-ee7 v1.11.12-ee10 v3.0.15-ee4

Upgrade instructions

Users of affected products should upgrade immediately by pulling the latest image version for their respective release track.

Support

If you are an HAProxy customer with questions about this advisory or upgrading to the latest version, please contact our support team.

Subscribe to our blog. Get the latest release updates, tutorials, and deep-dives from HAProxy experts.