Cyber Resilience

CVE-2023-25725

Critical

Published: 14 February 2023

Published
14 February 2023
Modified
20 March 2025
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.1754 95.2th percentile
Risk Priority 29 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-25725 is a critical-severity HTTP Request/Response Smuggling (CWE-444) vulnerability in Haproxy Haproxy. Its CVSS base score is 9.1 (Critical).

Operationally, ranked in the top 4.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

HAProxy versions prior to 2.7.3 are affected by a request smuggling vulnerability that stems from the HTTP/1 header parser accepting empty header field names. This behavior can truncate the list of headers during parsing and processing for HTTP/1.0 and HTTP/1.1 requests, causing selected headers to be lost after initial handling. The same root cause produces more limited effects under HTTP/2 and HTTP/3 because the headers are dropped before they reach the processing stage. Fixed releases are listed as 2.7.3, 2.6.9, 2.5.12, 2.4.22, 2.2.29, and 2.0.31.

An unauthenticated network attacker can craft requests containing empty header names to strip subsequent headers, thereby bypassing access-control checks or other header-dependent policies enforced by HAProxy. The resulting integrity and availability impact is rated high under CVSS 9.1, reflecting the potential for unauthorized actions or service disruption without requiring user interaction.

Advisories from Debian and Fedora, along with the upstream commit, direct users to apply the listed patched versions. The references also include distribution-specific announcements that document the coordinated rollout of these updates.

EPSS for the CVE rose from lower values to a peak of 0.2994 before receding to the current 0.1754, indicating a period of increased exploitation interest after disclosure. No confirmed in-the-wild campaigns are described in the supplied references.

EU & UK References

Vulnerability details

HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka "request smuggling." The HTTP header parsers in HAProxy may accept empty header field names, which could be used to truncate…

more

the list of HTTP headers and thus make some headers disappear after being parsed and processed for HTTP/1.0 and HTTP/1.1. For HTTP/2 and HTTP/3, the impact is limited because the headers disappear before being parsed and processed, as if they had not been sent by the client. The fixed versions are 2.7.3, 2.6.9, 2.5.12, 2.4.22, 2.2.29, and 2.0.31.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

haproxy
haproxy
≤ 2.0.31 · 2.1.0 — 2.2.29 · 2.3.0 — 2.4.22
debian
debian linux
10.0, 11.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References