CVE-2023-25725: HAProxy HTTP Request Smuggling Vulnerability

by do son · Published February 14, 2023 · Updated February 15, 2023

A security vulnerability has been found in HAProxy, a widely used open-source load balancer and reverse proxy for TCP and HTTP-based applications, that could be abused by an adversary to possibly smuggle HTTP requests, resulting in bypassing security controls and access sensitive data without authorization, effectively opening the door to an array of attacks.

Tracked as CVE-2023-25725, the attacker could exploit the vulnerability to bypass HAProxy’s headers processing because HTTP/1 headers are inadvertently lost in some situations, thus, the attacker could smuggle HTTP requests to the backend server via a crafted HTTP request.

“A properly crafted HTTP request can make HAProxy drop some important headers fields such as Connection, Content-length, Transfer-Encoding, Host etc after having parsed and at least partially processed them. Because of this, the request that HAProxy forwards doesn’t match what it thinks it is and some parts of a request body can be used to create extra requests to the server, that will not be filtered nor detected by HAProxy. This can for example be used to bypass an authentication check that is present on haproxy for some URLs, or access some restricted area that is normally access only if some specific checks are validated,” according to an HAProxy advisory.

The bug affects all versions at different degrees:

HTX-aware versions (2.0 in default config and all versions above) are impacted in HTTP/1. HTTP/2 and HTTP/3 also suffer from the bug but no parsing nor processing happens in the dropped headers so HAProxy stays properly synchronized with the server (i.e. there’s no request smuggling attack there)
non-HTX versions (1.9 and before, or 2.0 in legacy mode) will not drop the theader, but will nonetheless pass the faulty request as-is to a server. This means that, while such versions will not be abused to attack a server, if placed at the edge they are not sufficient to protect an internal HAProxy instance either.

Bahruz Jabiyev, Anthony Gavazzi, Engin Kirda from Northeastern University, Kaan Onarlioglu from Akamai Technologies, Adi Peleg, and Harvey Tuch from Google have been credited for finding the flaw.

CVE-2023-25725 has been addressed in HAProxy versions 2.8-dev4, 2.7.3, 2.6.9, 2.5.12, 2.4.12, 2.2.29, and 2.0.31.