An integer overflow exists in HAProxy 2.0 through 2.5 in htxaddheader that can be exploited to perform an HTTP request smuggling attack, allowing an attacker to bypass all configured http-request HAProxy ACLs and possibly other ACLs.
{
"unresolved_ranges": [
{
"extracted_events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.25"
},
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.25"
},
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.25"
},
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.25"
},
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.25"
},
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.25"
},
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.25"
},
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.25"
},
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.25"
},
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.25"
},
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.25"
},
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.25"
},
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.17"
},
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.17"
},
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.17"
},
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.17"
},
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.17"
},
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.17"
},
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.17"
},
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.17"
},
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.17"
},
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.17"
},
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.17"
},
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.17"
},
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.14"
},
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.14"
},
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.14"
},
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.14"
},
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.14"
},
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.14"
},
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.14"
},
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.14"
},
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.14"
},
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.14"
},
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.14"
},
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.14"
}
],
"source": "CPE_RANGE",
"vendor_product": "haproxy:haproxy",
"cpes": [
"cpe:2.3:a:haproxy:haproxy:*:*:*:*:*:*:*:*"
]
},
{
"extracted_events": [
{
"introduced": "11.0"
},
{
"last_affected": "11.0"
}
],
"source": "CPE_STRING",
"vendor_product": "debian:debian_linux",
"cpes": [
"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*"
]
},
{
"extracted_events": [
{
"introduced": "33"
},
{
"last_affected": "33"
},
{
"introduced": "34"
},
{
"last_affected": "34"
}
],
"source": "CPE_STRING",
"vendor_product": "fedoraproject:fedora",
"cpes": [
"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*",
"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*"
]
},
{
"extracted_events": [
{
"introduced": "2.5-dev0"
},
{
"last_affected": "2.5-dev0"
},
{
"introduced": "2.5-dev0"
},
{
"last_affected": "2.5-dev0"
},
{
"introduced": "2.5-dev0"
},
{
"last_affected": "2.5-dev0"
},
{
"introduced": "2.5-dev0"
},
{
"last_affected": "2.5-dev0"
},
{
"introduced": "2.5-dev0"
},
{
"last_affected": "2.5-dev0"
},
{
"introduced": "2.5-dev0"
},
{
"last_affected": "2.5-dev0"
},
{
"introduced": "2.5-dev0"
},
{
"last_affected": "2.5-dev0"
},
{
"introduced": "2.5-dev0"
},
{
"last_affected": "2.5-dev0"
},
{
"introduced": "2.5-dev0"
},
{
"last_affected": "2.5-dev0"
},
{
"introduced": "2.5-dev0"
},
{
"last_affected": "2.5-dev0"
},
{
"introduced": "2.5-dev0"
},
{
"last_affected": "2.5-dev0"
}
],
"source": "CPE_STRING",
"vendor_product": "haproxy:haproxy",
"cpes": [
"cpe:2.3:a:haproxy:haproxy:2.5:dev0:*:*:*:*:*:*"
]
}
]
}{
"source": [
"CPE_RANGE",
"CPE_STRING",
"REFERENCES"
],
"cpe": [
"cpe:2.3:a:haproxy:haproxy:*:*:*:*:*:*:*:*",
"cpe:2.3:a:haproxy:haproxy:2.5:dev0:*:*:*:*:*:*",
"cpe:2.3:a:haproxy:haproxy:2.5:dev1:*:*:*:*:*:*",
"cpe:2.3:a:haproxy:haproxy:2.5:dev2:*:*:*:*:*:*",
"cpe:2.3:a:haproxy:haproxy:2.5:dev3:*:*:*:*:*:*",
"cpe:2.3:a:haproxy:haproxy:2.5:dev4:*:*:*:*:*:*",
"cpe:2.3:a:haproxy:haproxy:2.5:dev5:*:*:*:*:*:*",
"cpe:2.3:a:haproxy:haproxy:2.5:dev6:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.4"
},
{
"introduced": "2.5-dev0"
},
{
"last_affected": "2.5-dev0"
},
{
"introduced": "2.5-dev1"
},
{
"last_affected": "2.5-dev1"
},
{
"introduced": "2.5-dev2"
},
{
"last_affected": "2.5-dev2"
},
{
"introduced": "2.5-dev3"
},
{
"last_affected": "2.5-dev3"
},
{
"introduced": "2.5-dev4"
},
{
"last_affected": "2.5-dev4"
},
{
"introduced": "2.5-dev5"
},
{
"last_affected": "2.5-dev5"
},
{
"introduced": "2.5-dev6"
},
{
"last_affected": "2.5-dev6"
}
]
}"2026-07-08T22:14:12Z"
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-40346.json"
[
{
"id": "CVE-2021-40346-720f56ce",
"digest": {
"function_hash": "250362322674641590349589051495230156653",
"length": 397.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/haproxy/haproxy/commit/3b69886f7dcc3cfb3d166309018e6cfec9ce2c95",
"deprecated": false,
"target": {
"function": "htx_add_trailer",
"file": "include/haproxy/htx.h"
}
},
{
"id": "CVE-2021-40346-a2320c5c",
"digest": {
"function_hash": "137971134793007557031146476273999624430",
"length": 397.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/haproxy/haproxy/commit/3b69886f7dcc3cfb3d166309018e6cfec9ce2c95",
"deprecated": false,
"target": {
"function": "htx_add_header",
"file": "include/haproxy/htx.h"
}
},
{
"id": "CVE-2021-40346-ff6b9c62",
"digest": {
"line_hashes": [
"103378957073333009210878063361820249918",
"90642999860060403562236023336123966002",
"87325895267160897988184542515128014985",
"258426726845170808120248969356574058873",
"156690178870054102966697089710863666198",
"97589094008776621651354770360189691565"
],
"threshold": 0.9
},
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/haproxy/haproxy/commit/3b69886f7dcc3cfb3d166309018e6cfec9ce2c95",
"deprecated": false,
"target": {
"file": "include/haproxy/htx.h"
}
}
]