Vulnerabilities > Haproxy
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-09-04 | CVE-2024-45506 | Unspecified vulnerability in Haproxy HAProxy 2.9.x before 2.9.10, 3.0.x before 3.0.4, and 3.1.x through 3.1-dev6 allows a remote denial of service for HTTP/2 zero-copy forwarding (h2_send loop) under a certain set of conditions, as exploited in the wild in 2024. | 7.5 |
| 2023-11-28 | CVE-2023-45539 | Unspecified vulnerability in Haproxy HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server. | 8.2 |
| 2023-08-10 | CVE-2023-40225 | HTTP Request Smuggling vulnerability in Haproxy HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. | 7.2 |
| 2023-04-11 | CVE-2023-25950 | HTTP Request Smuggling vulnerability in Haproxy HTTP request/response smuggling vulnerability in HAProxy version 2.7.0, and 2.6.1 to 2.6.7 allows a remote attacker to alter a legitimate user's request. | 7.3 |
| 2023-03-29 | CVE-2023-0836 | Incomplete Cleanup vulnerability in Haproxy An information leak vulnerability was discovered in HAProxy 2.1, 2.2 before 2.2.27, 2.3, 2.4 before 2.4.21, 2.5 before 2.5.11, 2.6 before 2.6.8, 2.7 before 2.7.1. | 7.5 |
| 2023-03-23 | CVE-2023-0056 | Resource Exhaustion vulnerability in multiple products An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. | 6.5 |
| 2023-02-14 | CVE-2023-25725 | HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka "request smuggling." The HTTP header parsers in HAProxy may accept empty header field names, which could be used to truncate the list of HTTP headers and thus make some headers disappear after being parsed and processed for HTTP/1.0 and HTTP/1.1. | 9.1 |
| 2022-03-02 | CVE-2022-0711 | Infinite Loop vulnerability in multiple products A flaw was found in the way HAProxy processed HTTP responses containing the "Set-Cookie2" header. | 7.5 |
| 2021-09-08 | CVE-2021-40346 | Integer Overflow or Wraparound vulnerability in multiple products An integer overflow exists in HAProxy 2.0 through 2.5 in htx_add_header that can be exploited to perform an HTTP request smuggling attack, allowing an attacker to bypass all configured http-request HAProxy ACLs and possibly other ACLs. | 7.5 |
| 2021-08-17 | CVE-2021-39240 | An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. | 7.5 |