Bug 2169089 (CVE-2023-25725) - CVE-2023-25725 haproxy: request smuggling attack in HTTP/1 header parsing
Summary: CVE-2023-25725 haproxy: request smuggling attack in HTTP/1 header parsing
Alias: CVE-2023-25725
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 2169532 2169509 2169510 2169511 2169533 2169534 2169535 2169823 2170060 2172591 2172592 2174174 2174175
Blocks: 2169088
TreeView+ depends on / blocked
Reported: 2023-02-11 17:47 UTC by Nick Tait
Modified: 2023-06-18 19:51 UTC (History)
25 users (show)

Fixed In Version: HAProxy 2.0.31, HAProxy 2.2.29, HAProxy 2.4.22, HAProxy 2.5.12, HAProxy 2.6.9, HAProxy 2.7.3, HAProxy 2.8-dev4
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in HAProxy's headers processing that causes HAProxy to drop important headers fields such as Connection, Content-length, Transfer-Encoding, and Host after having partially processed them. A maliciously crafted HTTP request could be used in an HTTP request smuggling attack to bypass filtering and detection by HAProxy.
Clone Of:
Last Closed: 2023-05-18 06:44:53 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:1268 0 None None None 2023-03-21 11:48:01 UTC
Red Hat Product Errata RHSA-2023:1325 0 None None None 2023-05-17 22:53:47 UTC
Red Hat Product Errata RHSA-2023:1696 0 None None None 2023-04-11 14:24:45 UTC
Red Hat Product Errata RHSA-2023:1978 0 None None None 2023-04-25 10:24:13 UTC

Description Nick Tait 2023-02-11 17:47:59 UTC
I will attach the patch to this flaw, but there may be an even newer patch available from the reporter (Willy Tarreau).

Summary from the initial report:
There is a serious bug in haproxy's HTTP/1 header parser which unfortunately accepts an empty header name ... The impact is that some mandatory headers could be dropped after their presence was confirmed ... resulting in a request smuggling attack. Also this empty header could be used
to make a transfer-encoding or content-length disappear while the internal parser still thinks it's there since it was seen ... I guess some (attackers) might be creative enough to exploit it ...

The fix ... applies well as far as v2.0 ...

I would like to propose an early coordinated release date ... 
Tuesday 14th 7pm CET ... 
it shouldn't take long to some attackers to figure how to exploit this to bypass some URL checks

Comment 10 Zack Miele 2023-02-14 17:16:02 UTC
Created haproxy tracking bugs for this issue:

Affects: fedora-all [bug 2169823]

Comment 11 Zack Miele 2023-02-15 14:47:17 UTC
Created haproxy18 tracking bugs for this issue:

Affects: epel-all [bug 2170060]

Comment 19 Torben Hørup 2023-03-07 17:53:09 UTC
When can we expect you to release a patched version. Today it's 3 weeks since CVE-2023-25725  was published

Comment 21 errata-xmlrpc 2023-03-21 11:48:00 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2023:1268 https://access.redhat.com/errata/RHSA-2023:1268

Comment 22 errata-xmlrpc 2023-04-11 14:24:43 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:1696 https://access.redhat.com/errata/RHSA-2023:1696

Comment 26 errata-xmlrpc 2023-04-25 10:24:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:1978 https://access.redhat.com/errata/RHSA-2023:1978

Comment 27 errata-xmlrpc 2023-05-17 22:53:45 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:1325 https://access.redhat.com/errata/RHSA-2023:1325

Comment 28 Product Security DevOps Team 2023-05-18 06:44:50 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Comment 29 Zack Miele 2023-05-25 22:23:47 UTC
Increasing this impact to Important after reconsideration. While the difficulty of creating an effective attack on sites behind HAProxy is largely dependent on the site's architecture, the difficulty to affect the Integrity of specially crafted data passed through HAProxy itself is low.

Comment 30 Robert Scheck 2023-06-18 11:50:43 UTC
Why do you consider RHEL 8 at https://access.redhat.com/security/cve/cve-2023-25725 to be "not affected"? As per https://security-tracker.debian.org/tracker/CVE-2023-25725, Debian backported the fix for this vulnerability to HAProxy 1.8 (included in 1.8.19-1+deb10u4).

> The fix ... applies well as far as v2.0 ...

If this is the cause, then I would like to remind that HAProxy 1.8 reached its end-of-life in Q4/2022 at upstream, see https://www.haproxy.org/. From my understanding upstream does not evaluate the applicability of security flaws for unmaintained HAProxy releases (this one was raised in Q1/2023).

Comment 31 Robert Scheck 2023-06-18 19:51:34 UTC
See also: https://www.mail-archive.com/haproxy@formilux.org/msg43229.html

> The problem affects all versions at different degrees: […] non-HTX versions (1.9 and before, or 2.0 in legacy mode) will not drop the theader, but will nonetheless pass the faulty request as-is to a server. This means that, while such versions will not be abused to attack a server, if placed at the edge they are not sufficient to protect an internal HAProxy instance either.

Note You need to log in before you can comment on or make changes to this bug.