VDB

DEBIAN-CVE-2023-40225

DEBIAN-CVE-2023-40225 PUBLISHED CVSS 7.199999809265137 HIGH

HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request.

Risk Scores

CVSS 3.1
7.199999809265137
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Affected Products

VendorProductVersions
Debian:12haproxy2.6.12-1, 2.6.12-1, 0
Debian:14haproxy0, 0, 0
Debian:13haproxy0, 0, 0
Debian:11haproxy2.2.9-2, 2.2.9-2, 2.2.9-2

Timeline

  • Aug 10, 2023 CVE Published
  • Apr 28, 2026 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›