HAProxy High Performance TCP/HTTP Load Balancer

By the Year

In 2026 there have been 0 vulnerabilities in HAProxy. Last year, in 2025 HAProxy had 3 security vulnerabilities published. Right now, HAProxy is on track to have less security vulnerabilities in 2026 than it did last year.

Recent HAProxy Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2025-11230	Nov 19, 2025	HAProxy mjson Denial-of-Service via Designed JSON (CVE-2025-11230) Inefficient algorithm complexity in mjson in HAProxy allows remote attackers to cause a denial of service via specially crafted JSON requests.	Haproxy
CVE-2025-59303	Oct 08, 2025	HAProxy K8s Ingress Controller <3.1.13 config-snippets YML Injection HAProxy Kubernetes Ingress Controller before 3.1.13, when the config-snippets feature flag is used, accepts config snippets from users with create/update permissions. This can result in obtaining an ingress token secret as a response. The fixed versions of HAProxy Enterprise Kubernetes Ingress Controller are 3.0.16-ee1, 1.11.13-ee1, and 1.9.15-ee1.	Haproxy
CVE-2025-32464	Apr 09, 2025	HAProxy 2.2-3.1.6 Heap Buffer Overflow in sample_conv_regsub HAProxy 2.2 through 3.1.6, in certain uncommon configurations, has a sample_conv_regsub heap-based buffer overflow because of mishandling of the replacement of multiple short patterns with a longer one.	Haproxy
CVE-2024-53008	Nov 28, 2024	CVE-2024-53008: HAProxy HTTP SM bypasses ACLs Inconsistent interpretation of HTTP requests ('HTTP Request/Response Smuggling') issue exists in HAProxy. If this vulnerability is exploited, a remote attacker may access a path that is restricted by ACL (Access Control List) set on the product. As a result, the attacker may obtain sensitive information.	Haproxy
CVE-2024-49214	Oct 14, 2024	QUIC IP List Bypass in HAProxy 3.1-dev<7, 3.0<5, 2.9<11 QUIC in HAProxy 3.1.x before 3.1-dev7, 3.0.x before 3.0.5, and 2.9.x before 2.9.11 allows opening a 0-RTT session with a spoofed IP address. This can bypass the IP allow/block list functionality.	Haproxy
CVE-2024-45506	Sep 04, 2024	Remote DoS via H2_send Loop in HAProxy 2.9.x<2.9.10, 3.0.x<3.0.4, 3.1.x<3.1-dev6 HAProxy 2.9.x before 2.9.10, 3.0.x before 3.0.4, and 3.1.x through 3.1-dev6 allows a remote denial of service for HTTP/2 zero-copy forwarding (h2_send loop) under a certain set of conditions, as exploited in the wild in 2024.	Haproxy
CVE-2023-45539	Nov 28, 2023	HAProxy <2.8.2 Accepts # in URI, Risk of Path Misinterpretation HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server.	Haproxy
CVE-2023-40225	Aug 10, 2023	HAProxy <2.8.2: FORWARD EMPTY CONTENTLENGTH, MAY CAUSE EXTRA REQUESTS HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request.	Haproxy
CVE-2023-25950	Apr 11, 2023	Request/Response Smuggling in HAProxy 2.6.1-2.6.7/2.7.0 HTTP request/response smuggling vulnerability in HAProxy version 2.7.0, and 2.6.1 to 2.6.7 allows a remote attacker to alter a legitimate user's request. As a result, the attacker may obtain sensitive information or cause a denial-of-service (DoS) condition.	Haproxy
CVE-2023-0836	Mar 29, 2023	HAProxy 2.1-2.7 Info Leak via FCGI_BEGIN_REQUEST (CVE20230836) An information leak vulnerability was discovered in HAProxy 2.1, 2.2 before 2.2.27, 2.3, 2.4 before 2.4.21, 2.5 before 2.5.11, 2.6 before 2.6.8, 2.7 before 2.7.1. There are 5 bytes left uninitialized in the connection buffer when encoding the FCGI_BEGIN_REQUEST record. Sensitive data may be disclosed to configured FastCGI backends in an unexpected way.	Haproxy