haproxy security update

HAProxy Technologies has addressed a high severity denial of service vulnerability (CVE-2025-11230) within HAProxy. This issue arises from an Inefficient Algorithm Complexity (CWE-407) in the mjson library, a dependency of HAProxy. Specially crafted JSON requests containing large values could exploit this vulnerability, leading to HAProxy's watchdog terminating the process.

This vulnerability impacts configurations using JSON parsing function on all current versions of HAProxy, including HAProxy Community Edition, HAProxy Enterprise, HAProxy ALOHA appliances, and HAProxy Kubernetes Ingress Controller.

We strongly recommend that you upgrade to the latest version if you use the following JSON parsing functions: json_query(), jwt_header_query(), jwt_payload_query(). There is no workaround available other than updating HAProxy.

Vulnerability details

  • CVE Identifier: CVE-2025-11230

  • CVSSv3 Score: 7.5 (HIGH)

  • Description: 

    • A flaw was discovered in how the mjson library, used by HAProxy, processes extremely large numbers. This is identified in CVE 2023-30421.

    • When HAProxy encounters requests containing these large numbers (e.g., 1e1000000000000000) in certain JSON parsing contexts (specifically json_query, jwt_header_query, or jwt_payload_query sample fetch methods), it can process for approximately one second before aborting.

    • This Inefficient Algorithm Complexity (CWE-407) weakness can be used to continuously send requests to HAProxy which can cause the watchdog to terminate the process, leading to denial of service to networks running HAProxy.

Affected versions and remediation

HAProxy Technologies has released new versions of affected products which fix the issue by privately forking a more efficient method into the mjson library. The issue has also been flagged to the maintainer of the mjson library.

There is no configuration-based remediation, as this issue can appear in any application-specific areas that have JSON requests enabled, aside from removing the rules involving these converters. The only solution is to update to a fixed version.

Product

Affected branches

Fixed versions

HAProxy Community Edition

2.4
2.6
2.8
3.0
3.1
3.2

2.4.30
2.6.23
2.8.16
3.0.12
3.1.9
3.2.6

HAProxy Enterprise

hapee-2.4r1
hapee-2.6r1
hapee-2.8r1
hapee-3.0r1
hapee-3.1r1

hapee-2.4r1-lb-1.0.0-294.1446
hapee-2.6r1-lb-1.0.0-301.1704
hapee-2.8r1-lb-1.0.0-327.1146
hapee-3.0r1-lb-1.0.0-346.795
hapee-3.1r1-lb-1.0.0-349.585

HAProxy ALOHA Appliance

17.0

16.5

15.5

14.5

17.0.7

16.5.19

15.5.28

14.5.33

HAProxy Kubernetes Ingress Controller

All versions

v3.1.12

HAProxy Enterprise Kubernetes Ingress Controller

All versions

v1.9.14-ee7

v1.11.12-ee10

v3.0.15-ee4

Upgrade instructions

Users of affected products should upgrade immediately by pulling the latest image version for their respective release track.

Support

If you are an HAProxy customer with questions about this advisory or upgrading to the latest version, please contact our support team.

Subscribe to our blog. Get the latest release updates, tutorials, and deep-dives from HAProxy experts.