CVE-2025-32464

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-32464
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-32464.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-32464
Aliases
Downstream
Related
Published
2025-04-09T03:15:16.847Z
Modified
2026-03-23T05:12:58.147979562Z
Severity
  • 6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

HAProxy 2.2 through 3.1.6, in certain uncommon configurations, has a sampleconvregsub heap-based buffer overflow because of mishandling of the replacement of multiple short patterns with a longer one.

References

Affected packages

Git / github.com/haproxy/haproxy

Affected ranges

Type
GIT
Repo
https://github.com/haproxy/haproxy
Events
Introduced
3a00c915fd241fc398a080a11ccac9c5c46791ce
Last affected
599f043e74722fc54483b55d01b286d221c29710
Fixed
3e3b9eebf871510aee36c3a3336faac2f38c9559
Database specific 
{
    "versions": [
        {
            "introduced": "2.2"
        },
        {
            "last_affected": "3.1.6"
        }
    ]
}

Affected versions

v2.*
v2.2.0
v2.3-dev0
v2.3-dev1
v2.3-dev2
v2.3-dev3
v2.3-dev4
v2.3-dev5
v2.3-dev6
v2.3-dev7
v2.3-dev8
v2.3-dev9
v2.3.0
v2.4-dev0
v2.4-dev1
v2.4-dev10
v2.4-dev11
v2.4-dev12
v2.4-dev13
v2.4-dev14
v2.4-dev15
v2.4-dev16
v2.4-dev17
v2.4-dev18
v2.4-dev19
v2.4-dev2
v2.4-dev3
v2.4-dev4
v2.4-dev5
v2.4-dev6
v2.4-dev7
v2.4-dev8
v2.4-dev9
v2.4.0
v2.5-dev0
v2.5-dev1
v2.5-dev10
v2.5-dev11
v2.5-dev12
v2.5-dev13
v2.5-dev14
v2.5-dev15
v2.5-dev2
v2.5-dev3
v2.5-dev4
v2.5-dev5
v2.5-dev6
v2.5-dev7
v2.5-dev8
v2.5-dev9
v2.5.0
v2.6-dev0
v2.6-dev1
v2.6-dev10
v2.6-dev11
v2.6-dev12
v2.6-dev2
v2.6-dev3
v2.6-dev4
v2.6-dev5
v2.6-dev6
v2.6-dev7
v2.6-dev8
v2.6-dev9
v2.6.0
v2.7-dev0
v2.7-dev1
v2.7-dev10
v2.7-dev2
v2.7-dev3
v2.7-dev4
v2.7-dev5
v2.7-dev6
v2.7-dev7
v2.7-dev8
v2.7-dev9
v2.7.0
v2.8-dev0
v2.8-dev1
v2.8-dev10
v2.8-dev11
v2.8-dev12
v2.8-dev13
v2.8-dev2
v2.8-dev3
v2.8-dev4
v2.8-dev5
v2.8-dev6
v2.8-dev7
v2.8-dev8
v2.8-dev9
v2.8.0
v2.9-dev0
v2.9-dev1
v2.9-dev10
v2.9-dev11
v2.9-dev12
v2.9-dev2
v2.9-dev3
v2.9-dev4
v2.9-dev5
v2.9-dev6
v2.9-dev7
v2.9-dev8
v2.9-dev9
v2.9.0
v3.*
v3.0-dev0
v3.0-dev1
v3.0-dev10
v3.0-dev11
v3.0-dev12
v3.0-dev13
v3.0-dev2
v3.0-dev3
v3.0-dev4
v3.0-dev5
v3.0-dev6
v3.0-dev7
v3.0-dev8
v3.0-dev9
v3.0.0
v3.1-dev0
v3.1-dev1
v3.1-dev10
v3.1-dev11
v3.1-dev12
v3.1-dev13
v3.1-dev14
v3.1-dev2
v3.1-dev3
v3.1-dev4
v3.1-dev5
v3.1-dev6
v3.1-dev7
v3.1-dev8
v3.1-dev9
v3.1.0
v3.2-dev0
v3.2-dev1
v3.2-dev2
v3.2-dev3
v3.2-dev4
v3.2-dev5
v3.2-dev6
v3.2-dev7
v3.2-dev8
v3.2-dev9

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-32464.json"
vanir_signatures 
[
    {
        "signature_version": "v1",
        "signature_type": "Line",
        "source": "https://github.com/haproxy/haproxy/commit/3e3b9eebf871510aee36c3a3336faac2f38c9559",
        "deprecated": false,
        "target": {
            "file": "src/sample.c"
        },
        "digest": {
            "line_hashes": [
                "44363929548633845708281771554896885601",
                "240967002129204781698066168046627257709",
                "235401145960306073107861320431440768315",
                "310455282523349447692393506674566175291"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2025-32464-c78e104a"
    }
]