HAProxy Vulnerability CVE-2024-45506 Under Active Exploit: Urgent Patching Required
In the latest security advisory, HAProxy revealed that CVE-2024-45506, a vulnerability in its popular load balancing and proxy software, is now actively exploited. The vulnerability, which has a CVSS score of 7.5, affects the HTTP/2 multiplexer in HAProxy. Under certain conditions, it can cause an endless loop, leading to a system crash and a remote denial-of-service (DoS) attack. This flaw impacts several HAProxy products, including Enterprise, ALOHA, and Kubernetes Ingress Controllers.
The vulnerability originates from an issue in the HTTP/2 multiplexer when combined with zero-copy forwarding, a system designed to optimize data flow. Under rare circumstances, attackers can exploit this flaw to create an endless loop in the h2_send() function. This issue arises if a processing error triggers a GOAWAY frame, but the system’s output buffer is nearly full, and no progress can be made on the input buffer due to incomplete frames. Complicating the situation, multiple streams may be transmitting data simultaneously in zero-copy mode, further straining the system.
HAProxy developers noted that while this condition is difficult to reproduce, it has been observed in at least one active exploitation case, leading to the crash of HAProxy under heavy load. A denial-of-service attack in this context can disrupt high-availability services and impact critical operations that depend on HAProxy’s load-balancing capabilities.
The vulnerability affects a range of HAProxy versions across different products. The table below outlines the affected versions and their corresponding patches:
| Affected version | Fixed version |
| HAProxy 3.0 | 3.0.4 |
| HAProxy 2.9 | 2.9.10 |
| HAProxy Enterprise 2.9r1 | hapee-2.9r1-lb 1.0.0-328.475 |
| HAProxy ALOHA 16.0 | 16.0.4 |
| HAProxy Kubernetes Ingress Controller 3.0 | 3.0.1 |
| HAProxy Kubernetes Ingress Controller 1.11 | 1.11.6 |
| HAProxy Enterprise Kubernetes Ingress Controller 1.11 | 1.11.6-ee7 |
| HAProxy Enterprise Kubernetes Ingress Controller 1.7 | 1.7.12-ee12 |
Though CVE-2024-45506 is reportedly difficult to exploit, one confirmed instance of active exploitation demonstrates the seriousness of this vulnerability. As more attackers target infrastructure-level vulnerabilities, the risk to high-profile HAProxy users—including major websites such as GitHub, Reddit, and Twitter—continues to grow.
In this case, a DoS attack could disrupt the load balancing capabilities of these services, potentially bringing down entire systems during high-traffic periods. For organizations depending on HAProxy for traffic distribution and high availability, even a temporary crash could result in significant financial and operational losses.
HAProxy urges all users to update to these versions immediately to prevent potential exploitation. The patches are designed to resolve the loop issue in the HTTP/2 multiplexer, thereby restoring system stability and security.
For organizations unable to apply the patches right away, HAProxy provides a workaround that disables the zero-copy forwarding system—a feature contributing to the vulnerability. To implement this temporary fix, administrators should add the following directive to the global section of their HAProxy configuration:
