Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
Lifecycle Timeline
7DescriptionNVD
An issue was discovered in HAProxy before 3.3.6. The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame with an empty payload. This can cause desynchronization issues with the backend server and could be used for request smuggling. The earliest affected version is 2.6.
AnalysisAI
HAProxy versions 2.6 through 3.3.5 fail to validate that received HTTP/3 message body lengths match the announced Content-Length header when streams close via empty-payload frames, enabling request smuggling and backend desynchronization attacks. An unauthenticated remote attacker can exploit this via network-level HTTP/3 traffic to cause integrity violations (integrity impact rated low by CVSS), though practical exploitation requires high attack complexity. No public exploit code or active CISA KEV designation has been confirmed; the moderate CVSS 4.0 and high attack complexity suggest this is a specialized HTTP/3 protocol abuse requiring precise crafting.
Technical ContextAI
HAProxy's HTTP/3 parser implements QUIC-based HTTP semantics but contains a validation gap in the stream lifecycle. The vulnerability stems from CWE-130 (Improper Handling of Length Parameters), where the parser accepts stream termination (empty-payload frames closing the stream) without verifying that the cumulative bytes received match the Content-Length header declared at message start. This desynchronization allows an attacker to inject unintended message boundaries: a frontend client might believe a request ends at one point while the backend interprets it differently, creating a classic request smuggling window. Affected versions include HAProxy 2.6 through 3.3.5 across all operating systems (CPE: cpe:2.3:a:haproxy:haproxy:*:*:*:*:*:*:*:*). The issue is specific to the HTTP/3 protocol path (QUIC), not HTTP/1.1 or HTTP/2, making it a protocol-specific parser flaw.
RemediationAI
Upgrade HAProxy to version 3.3.6 or later, which includes the fix committed to the upstream repository (https://github.com/haproxy/haproxy/commit/05a295441c621089ffa4318daf0dbca2dd756a84). If immediate patching is not feasible, disable HTTP/3 support in HAProxy configuration to eliminate the attack surface; this involves removing QUIC listener configurations and reverting to HTTP/1.1 or HTTP/2 as the default protocol. Organizations using HAProxy 2.6 through 3.3.5 should prioritize patching and monitor mailing list announcements (https://www.mail-archive.com/haproxy@formilux.org/) for additional security guidance. Testing of patched versions in a staging environment is recommended before production deployment.
HAproxy 1.6.x before 1.6.6, when a deny comes from a reqdeny rule, allows remote attackers to cause a denial of service
An integer overflow exists in HAProxy 2.0 through 2.5 in htx_add_header that can be exploited to perform an HTTP request
A flaw was found in HAProxy before 2.0.6. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no
HAProxy through 2.0.2 allows attackers to cause a denial of service (ha_panic) via vectors related to htx_manage_client_
HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2
The HAProxy package before 0.59_16 for pfSense has XSS via the desc (aka Description) or table_actionsaclN parameter, re
The HTTP/2 implementation in HAProxy before 2.0.10 mishandles headers, as demonstrated by carriage return (CR, ASCII 0xd
HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situatio
FastCGI framing desynchronization in HAProxy through 3.4.0 stems from a 16-bit integer overflow in the fcgi_conn demux r
Multiple integer overflows in the http_request_forward_body function in proto_http.c in HAProxy 1.5-dev23 before 1.5.4 a
In hpack_dht_insert in hpack-tbl.c in the HPACK decoder in HAProxy 1.8 through 2.x before 2.1.4, a remote attacker can w
Denial of service in HAProxy through 3.4.0 allows remote unauthenticated attackers to crash worker processes by triggeri
Same technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Low| Product | Status |
|---|---|
| SUSE Linux Enterprise High Availability Extension 15 SP7 | Fixed |
| SUSE Linux Enterprise High Availability Extension 16.0 | Fixed |
| SUSE Linux Enterprise Micro 5.3 | Fixed |
| SUSE Linux Enterprise Micro 5.4 | Fixed |
| SUSE Linux Enterprise Micro 5.5 | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
| SUSE Linux Micro 6.0 | Fixed |
| SUSE Linux Micro 6.1 | Fixed |
| SUSE Linux Micro 6.2 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise High Availability Extension 12 SP5 | Fixed |
| SUSE Linux Enterprise High Availability Extension 15 SP4 | Fixed |
| SUSE Linux Enterprise High Availability Extension 15 SP5 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP5 | Fixed |
| SUSE Linux Enterprise High Availability Extension 15 SP6 | Fixed |
| openSUSE Leap 15.4 | Fixed |
| openSUSE Leap 15.5 | Fixed |
| openSUSE Leap Micro 5.3 | Fixed |
| openSUSE Leap Micro 5.4 | Fixed |
| openSUSE Leap Micro 5.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21997
GHSA-5mp8-rq5m-pj7m