Haproxy

Haproxy

38 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
  • EPSS 0.39%
  • Veröffentlicht 18.06.2026 16:05:52
  • Zuletzt bearbeitet 26.06.2026 02:39:04

HAProxy through 3.4.0, fixed in commit 9a6d1fe, contains a null pointer dereference vulnerability in hpack_dht_insert() within src/hpack-tbl.c that fails to validate the return value of hpack_dht_defrag() when the memory pool is exhausted. An attack...

  • EPSS 0.32%
  • Veröffentlicht 18.06.2026 16:05:20
  • Zuletzt bearbeitet 26.06.2026 02:47:33

HAProxy through 3.4.0, fixed in commit 5985276, contains an integer overflow vulnerability in the fcgi_conn structure's drl field that allows buffer misparse as new FCGI record headers. When contentLength is 65535 and paddingLength is 1 or more, the ...

Exploit
  • EPSS 0.3%
  • Veröffentlicht 13.04.2026 00:00:00
  • Zuletzt bearbeitet 29.06.2026 15:28:15

An issue was discovered in HAProxy before 3.3.6. The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame with an empty payload. This can cause desynchronizatio...

  • EPSS 0.18%
  • Veröffentlicht 10.04.2026 04:17:17
  • Zuletzt bearbeitet 27.04.2026 17:57:21

wolfSSL_X509_verify_cert in the OpenSSL compatibility layer accepts a certificate chain in which the leaf's signature is not checked, if the attacker supplies an untrusted intermediate with Basic Constraints `CA:FALSE` that is legitimately signed by ...

  • EPSS 0.48%
  • Veröffentlicht 19.11.2025 09:28:39
  • Zuletzt bearbeitet 19.12.2025 16:44:55

Inefficient algorithm complexity in mjson in HAProxy allows remote attackers to cause a denial of service via specially crafted JSON requests.

  • EPSS 0.69%
  • Veröffentlicht 09.04.2025 00:00:00
  • Zuletzt bearbeitet 15.04.2026 00:35:42

HAProxy 2.2 through 3.1.6, in certain uncommon configurations, has a sample_conv_regsub heap-based buffer overflow because of mishandling of the replacement of multiple short patterns with a longer one.

  • EPSS 1.04%
  • Veröffentlicht 28.11.2024 03:15:16
  • Zuletzt bearbeitet 15.04.2026 00:35:42

Inconsistent interpretation of HTTP requests ('HTTP Request/Response Smuggling') issue exists in HAProxy. If this vulnerability is exploited, a remote attacker may access a path that is restricted by ACL (Access Control List) set on the product. As ...

  • EPSS 0.5%
  • Veröffentlicht 14.10.2024 04:15:05
  • Zuletzt bearbeitet 15.04.2026 00:35:42

QUIC in HAProxy 3.1.x before 3.1-dev7, 3.0.x before 3.0.5, and 2.9.x before 2.9.11 allows opening a 0-RTT session with a spoofed IP address. This can bypass the IP allow/block list functionality.

  • EPSS 1.2%
  • Veröffentlicht 04.09.2024 15:15:14
  • Zuletzt bearbeitet 14.03.2025 20:15:13

HAProxy 2.9.x before 2.9.10, 3.0.x before 3.0.4, and 3.1.x through 3.1-dev6 allows a remote denial of service for HTTP/2 zero-copy forwarding (h2_send loop) under a certain set of conditions, as exploited in the wild in 2024.

  • EPSS 1.53%
  • Veröffentlicht 28.11.2023 20:15:07
  • Zuletzt bearbeitet 21.11.2024 08:26:56

HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static se...