CVE-2023-40225
- Source
- https://cve.org/CVERecord?id=CVE-2023-40225
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-40225.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2023-40225
- Aliases
- Downstream
- Related
- Published
- 2023-08-10T21:15:10.743Z
- Modified
- 2026-03-13T07:56:50.006100Z
- Severity
-
- 7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request.
- References
-
- https://www.haproxy.org/download/2.6/src/CHANGELOG
- https://www.haproxy.org/download/2.7/src/CHANGELOG
- https://www.haproxy.org/download/2.8/src/CHANGELOG
- https://github.com/haproxy/haproxy/issues/2237
- https://github.com/haproxy/haproxy/commit/6492f1f29d738457ea9f382aca54537f35f9d856
- https://cwe.mitre.org/data/definitions/436.html
Affected packages
Git / git.haproxy.org/haproxy-2.0.git
Affected ranges
- Type
- GIT
- Repo
- https://git.haproxy.org/haproxy-2.0.git
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affected09b74d8a453ba1b1f71b217c321983511383c2d2
- Database specific
{ "versions": [ { "introduced": "0" }, { "last_affected": "2.0.32" } ] }
- Type
- GIT
- Repo
- https://git.haproxy.org/haproxy-2.2.git
- Events
-
Introduced3a00c915fd241fc398a080a11ccac9c5c46791ceLast affected5f4877ec77240f80774b7f7cb2f65f2d26f3f4cf
- Database specific
{ "versions": [ { "introduced": "2.2.0" }, { "last_affected": "2.2.30" } ] }
- Type
- GIT
- Repo
- https://git.haproxy.org/haproxy-2.4.git
- Events
-
Introduced6cbbecf09734aeb5fa8bb88f36f06a6f6d35e813Last affected62cb999fe65e415ba7176354172612a7ee8bdf04
- Database specific
{ "versions": [ { "introduced": "2.4.0" }, { "last_affected": "2.4.23" } ] }
Affected versions
v1.*
v1.0.0
v1.0.1
v1.0.2
v1.1.0
v1.1.1
v1.1.10
v1.1.11
v1.1.12
v1.1.13
v1.1.14
v1.1.15
v1.1.16
v1.1.17
v1.1.18
v1.1.19
v1.1.2
v1.1.20
v1.1.21
v1.1.22
v1.1.23
v1.1.24
v1.1.25
v1.1.26
v1.1.27
v1.1.3
v1.1.4
v1.1.5
v1.1.6
v1.1.7
v1.1.8
v1.1.9
v1.2.0
v1.2.1
v1.2.1-pre1
v1.2.1-pre2
v1.2.1-pre3
v1.2.10
v1.2.10.1
v1.2.11
v1.2.11.1
v1.2.12
v1.2.13
v1.2.13.1
v1.2.14
v1.2.2
v1.2.3
v1.2.4
v1.2.5
v1.2.5-pre1
v1.2.5-pre2
v1.2.5-pre3
v1.2.5-pre4
v1.2.5.1
v1.2.5.2
v1.2.6
v1.2.6-pre4
v1.2.6-pre5
v1.2.7
v1.2.7.1
v1.2.7rc
v1.2.8
v1.2.9
v1.3.0
v1.3.1
v1.3.10
v1.3.10.1
v1.3.10.2
v1.3.11
v1.3.11.1
v1.3.11.2
v1.3.11.3
v1.3.11.4
v1.3.12
v1.3.13
v1.3.14
v1.3.15
v1.3.16
v1.3.16-rc1
v1.3.16-rc2
v1.3.17
v1.3.18
v1.3.2
v1.3.3
v1.3.4
v1.3.5
v1.3.6
v1.3.6.1
v1.3.7
v1.3.8
v1.3.8.1
v1.3.8.2
v1.3.9
v1.4-dev0
v1.4-dev1
v1.4-dev2
v1.4-dev3
v1.4-dev4
v1.4-dev5
v1.4-dev6
v1.4-dev7
v1.4-dev8
v1.4-rc1
v1.4.0
v1.4.1
v1.4.2
v1.4.3
v1.4.4
v1.4.5
v1.4.6
v1.5-dev10
v1.5-dev12
v1.5-dev13
v1.5-dev14
v1.5-dev15
v1.5-dev16
v1.5-dev17
v1.5-dev18
v1.5-dev19
v1.5-dev20
v1.5-dev21
v1.5-dev22
v1.5-dev23
v1.5-dev24
v1.5-dev25
v1.5-dev26
v1.5-dev8
v1.5-dev9
v1.5.0
v1.6-dev0
v1.6-dev1
v1.6-dev2
v1.6-dev3
v1.6-dev4
v1.6-dev5
v1.6-dev6
v1.6-dev7
v1.6.0
v1.7-dev0
v1.7-dev1
v1.7-dev2
v1.7-dev3
v1.7-dev4
v1.7-dev5
v1.7-dev6
v1.7.0
v1.8-dev0
v1.8-dev1
v1.8-dev2
v1.8-dev3
v1.8-rc1
v1.8-rc2
v1.8-rc3
v1.8-rc4
v1.8.0
v1.9-dev0
v1.9-dev1
v1.9-dev10
v1.9-dev11
v1.9-dev2
v1.9-dev3
v1.9-dev4
v1.9-dev5
v1.9-dev6
v1.9-dev7
v1.9-dev8
v1.9-dev9
v1.9.0
v2.*
v2.0-dev0
v2.0-dev1
v2.0-dev2
v2.0-dev3
v2.0-dev4
v2.0-dev5
v2.0-dev6
v2.0-dev7
v2.0.0
v2.0.1
v2.0.10
v2.0.11
v2.0.12
v2.0.13
v2.0.14
v2.0.15
v2.0.16
v2.0.17
v2.0.18
v2.0.19
v2.0.2
v2.0.20
v2.0.21
v2.0.22
v2.0.23
v2.0.24
v2.0.25
v2.0.26
v2.0.27
v2.0.28
v2.0.29
v2.0.3
v2.0.30
v2.0.31
v2.0.32
v2.0.4
v2.0.5
v2.0.6
v2.0.7
v2.0.8
v2.0.9
v2.2.0
v2.2.1
v2.2.10
v2.2.11
v2.2.12
v2.2.13
v2.2.14
v2.2.15
v2.2.16
v2.2.17
v2.2.18
v2.2.19
v2.2.2
v2.2.20
v2.2.21
v2.2.22
v2.2.23
v2.2.24
v2.2.25
v2.2.26
v2.2.27
v2.2.28
v2.2.29
v2.2.3
v2.2.30
v2.2.4
v2.2.5
v2.2.6
v2.2.7
v2.2.8
v2.2.9
v2.4.0
v2.4.1
v2.4.10
v2.4.11
v2.4.12
v2.4.13
v2.4.14
v2.4.15
v2.4.16
v2.4.17
v2.4.18
v2.4.19
v2.4.2
v2.4.20
v2.4.21
v2.4.22
v2.4.23
v2.4.3
v2.4.4
v2.4.5
v2.4.6
v2.4.7
v2.4.8
v2.4.9
v2.5.0
v2.6-dev0
v2.6-dev1
v2.6-dev10
v2.6-dev11
v2.6-dev12
v2.6-dev2
v2.6-dev3
v2.6-dev4
v2.6-dev5
v2.6-dev6
v2.6-dev7
v2.6-dev8
v2.6-dev9
v2.6.0
v2.6.1
v2.6.10
v2.6.11
v2.6.12
v2.6.13
v2.6.14
v2.6.2
v2.6.3
v2.6.4
v2.6.5
v2.6.6
v2.6.7
v2.6.8
v2.6.9
v2.7.0
Database specific
vanir_signatures
[
{
"signature_type": "Function",
"deprecated": false,
"id": "CVE-2023-40225-321cb63a",
"target": {
"file": "src/http.c",
"function": "http_parse_cont_len_header"
},
"digest": {
"length": 920.0,
"function_hash": "233598116403124394327874341684154081692"
},
"signature_version": "v1",
"source": "https://github.com/haproxy/haproxy/commit/6492f1f29d738457ea9f382aca54537f35f9d856"
},
{
"signature_type": "Line",
"deprecated": false,
"id": "CVE-2023-40225-6bc15f13",
"target": {
"file": "src/h1.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"165144268708067503662197180751835168325",
"181476966816870361302138927755052419995",
"38169904124979107543682445298778353719",
"90172390201955149448003837056493578792",
"190028181374243338045588907346606455051",
"107505088545251584894189210534290438397",
"331204091758823654164950303515118093648",
"236794157206778696007620946270386607677",
"252811914131326760711167158666797745135",
"31722181914028338651024671069621308286",
"150844051917068265160765471746425755346",
"286321739378888021026416454718199891256"
]
},
"signature_version": "v1",
"source": "https://github.com/haproxy/haproxy/commit/6492f1f29d738457ea9f382aca54537f35f9d856"
},
{
"signature_type": "Line",
"deprecated": false,
"id": "CVE-2023-40225-e91d6762",
"target": {
"file": "src/http.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"72171713211711176057473768202252814200",
"63927162197679533977345581072990894618",
"94110014460971723384658371440440144532",
"90172390201955149448003837056493578792",
"190028181374243338045588907346606455051",
"107505088545251584894189210534290438397",
"331204091758823654164950303515118093648",
"236794157206778696007620946270386607677",
"17986306145591369186963995970127593066",
"285864856605371214411020876314555345112",
"283123263476167121878797278369257674902",
"301864301687022632947606540948909654137"
]
},
"signature_version": "v1",
"source": "https://github.com/haproxy/haproxy/commit/6492f1f29d738457ea9f382aca54537f35f9d856"
},
{
"signature_type": "Function",
"deprecated": false,
"id": "CVE-2023-40225-f584ff7d",
"target": {
"file": "src/h1.c",
"function": "h1_parse_cont_len_header"
},
"digest": {
"length": 1001.0,
"function_hash": "228028521571946842552203437083185495676"
},
"signature_version": "v1",
"source": "https://github.com/haproxy/haproxy/commit/6492f1f29d738457ea9f382aca54537f35f9d856"
}
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-40225.json"