{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/cpes/cpe2.3ahaproxyhaproxy2.5dev6/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:haproxy:haproxy:*:*:*:*:*:*:*:*","cpe:2.3:a:haproxy:haproxy:2.5:dev0:*:*:*:*:*:*","cpe:2.3:a:haproxy:haproxy:2.5:dev1:*:*:*:*:*:*","cpe:2.3:a:haproxy:haproxy:2.5:dev2:*:*:*:*:*:*","cpe:2.3:a:haproxy:haproxy:2.5:dev3:*:*:*:*:*:*","cpe:2.3:a:haproxy:haproxy:2.5:dev4:*:*:*:*:*:*","cpe:2.3:a:haproxy:haproxy:2.5:dev5:*:*:*:*:*:*","cpe:2.3:a:haproxy:haproxy:2.5:dev6:*:*:*:*:*:*","cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*","cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*","cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":7.5,"id":"CVE-2021-40346"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["HAProxy (2.0 through 2.0.24)","HAProxy (2.2 through 2.2.16)","HAProxy (2.3 through 2.3.13)","HAProxy (2.4 through 2.4.3)","HAProxy (2.5 dev1 through 2.5 dev6)"],"_cs_severities":["high"],"_cs_tags":["integer-overflow","http-smuggling","acl-bypass","haproxy","webserver"],"_cs_type":"advisory","_cs_vendors":["HAProxy"],"content_html":"\u003cp\u003eA public exploit has been released detailing CVE-2021-40346, an integer overflow vulnerability in HAProxy, an open-source reverse proxy and load balancer. This critical flaw resides in the \u003ccode\u003ehtx_add_header()\u003c/code\u003e function, which is responsible for storing HTTP headers internally. The vulnerability allows attackers to perform HTTP Request Smuggling and bypass Access Control List (ACL) rules by manipulating the length of HTTP header names. Specifically, by crafting a header name exactly 270 bytes long, an integer overflow occurs, leading HAProxy to misinterpret a forged \u003ccode\u003eContent-Length: 0\u003c/code\u003e header. This enables the smuggling of a second, hidden request that bypasses HAProxy's initial ACL checks and is delivered to the backend server. The presence of a public Proof-of-Concept (PoC) significantly elevates the risk for unpatched HAProxy installations, particularly versions 2.0 through 2.5 (dev6).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts an HTTP POST request targeting the HAProxy instance.\u003c/li\u003e\n\u003cli\u003eWithin this request, a specially designed header name, such as \u003ccode\u003eContent-Length0\u003c/code\u003e followed by 255 'a' characters (totaling 270 bytes), is included.\u003c/li\u003e\n\u003cli\u003eHAProxy's \u003ccode\u003ehtx_add_header()\u003c/code\u003e function attempts to store this header name, which exceeds the capacity of its 8-bit length field.\u003c/li\u003e\n\u003cli\u003eAn integer overflow occurs, causing HAProxy to misinterpret the manipulated header as a valid \u003ccode\u003eContent-Length: 0\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eFollowing this forged header, the attacker appends a legitimate \u003ccode\u003eContent-Length\u003c/code\u003e header corresponding to the size of a hidden, malicious HTTP request (e.g., \u003ccode\u003eGET /admin HTTP/1.1\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eHAProxy proceeds to read the entire client-provided body, including the hidden request, but its internal logic has been poisoned by the \u003ccode\u003eContent-Length: 0\u003c/code\u003e interpretation.\u003c/li\u003e\n\u003cli\u003eWhen forwarding to the backend, HAProxy's ACLs, configured to inspect only the initial request line, do not detect the smuggled request.\u003c/li\u003e\n\u003cli\u003eThe backend server, having received a \u003ccode\u003eContent-Length: 0\u003c/code\u003e for the initial request, then processes the subsequent hidden data (e.g., \u003ccode\u003eGET /admin\u003c/code\u003e) as a completely new, unauthorized request, effectively bypassing HAProxy's \u003ccode\u003ehttp-request\u003c/code\u003e ACLs and gaining access to restricted paths.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2021-40346 leads to significant security breaches, primarily unauthorized access to restricted backend services and administrative interfaces (e.g., \u003ccode\u003e/admin\u003c/code\u003e). Organizations leveraging HAProxy as a reverse proxy or load balancer with \u003ccode\u003ehttp-request\u003c/code\u003e based ACLs are at risk. This vulnerability could allow attackers to bypass critical security controls designed to segregate network traffic or protect sensitive application endpoints. Depending on the backend application's functionality, this bypass could lead to further compromise, such as privilege escalation, data exfiltration, or complete system takeover. The availability of a public exploit increases the likelihood of widespread attacks against vulnerable systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade HAProxy installations to patched versions: 2.0.25, 2.2.17, 2.3.14, 2.4.4, or newer, to remediate CVE-2021-40346.\u003c/li\u003e\n\u003cli\u003eImplement defense-in-depth measures by ensuring backend applications have their own robust authentication and authorization logic, rather than solely relying on proxy ACLs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-08T16:05:12Z","date_published":"2026-07-08T16:05:12Z","id":"https://feed.craftedsignal.io/briefs/2026-07-haproxy-integer-overflow/","summary":"A critical integer overflow vulnerability, CVE-2021-40346, in HAProxy's `htx_add_header()` function allows unauthenticated attackers to bypass access control rules by crafting HTTP requests with specific header name lengths, leading to HTTP request smuggling and unauthorized access to backend paths, for which a public exploit is available.","title":"HAProxy CVE-2021-40346 Integer Overflow Leading to HTTP Request Smuggling and ACL Bypass","url":"https://feed.craftedsignal.io/briefs/2026-07-haproxy-integer-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed - Cpe:2.3:a:haproxy:haproxy:2.5:dev6:*:*:*:*:*:*","version":"https://jsonfeed.org/version/1.1"}