<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>HAProxy (2.2 Through 2.2.16) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/haproxy-2.2-through-2.2.16/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 08 Jul 2026 16:05:12 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/haproxy-2.2-through-2.2.16/feed.xml" rel="self" type="application/rss+xml"/><item><title>HAProxy CVE-2021-40346 Integer Overflow Leading to HTTP Request Smuggling and ACL Bypass</title><link>https://feed.craftedsignal.io/briefs/2026-07-haproxy-integer-overflow/</link><pubDate>Wed, 08 Jul 2026 16:05:12 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-haproxy-integer-overflow/</guid><description>A critical integer overflow vulnerability, CVE-2021-40346, in HAProxy's `htx_add_header()` function allows unauthenticated attackers to bypass access control rules by crafting HTTP requests with specific header name lengths, leading to HTTP request smuggling and unauthorized access to backend paths, for which a public exploit is available.</description><content:encoded><![CDATA[<p>A public exploit has been released detailing CVE-2021-40346, an integer overflow vulnerability in HAProxy, an open-source reverse proxy and load balancer. This critical flaw resides in the <code>htx_add_header()</code> function, which is responsible for storing HTTP headers internally. The vulnerability allows attackers to perform HTTP Request Smuggling and bypass Access Control List (ACL) rules by manipulating the length of HTTP header names. Specifically, by crafting a header name exactly 270 bytes long, an integer overflow occurs, leading HAProxy to misinterpret a forged <code>Content-Length: 0</code> header. This enables the smuggling of a second, hidden request that bypasses HAProxy's initial ACL checks and is delivered to the backend server. The presence of a public Proof-of-Concept (PoC) significantly elevates the risk for unpatched HAProxy installations, particularly versions 2.0 through 2.5 (dev6).</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker crafts an HTTP POST request targeting the HAProxy instance.</li>
<li>Within this request, a specially designed header name, such as <code>Content-Length0</code> followed by 255 'a' characters (totaling 270 bytes), is included.</li>
<li>HAProxy's <code>htx_add_header()</code> function attempts to store this header name, which exceeds the capacity of its 8-bit length field.</li>
<li>An integer overflow occurs, causing HAProxy to misinterpret the manipulated header as a valid <code>Content-Length: 0</code>.</li>
<li>Following this forged header, the attacker appends a legitimate <code>Content-Length</code> header corresponding to the size of a hidden, malicious HTTP request (e.g., <code>GET /admin HTTP/1.1</code>).</li>
<li>HAProxy proceeds to read the entire client-provided body, including the hidden request, but its internal logic has been poisoned by the <code>Content-Length: 0</code> interpretation.</li>
<li>When forwarding to the backend, HAProxy's ACLs, configured to inspect only the initial request line, do not detect the smuggled request.</li>
<li>The backend server, having received a <code>Content-Length: 0</code> for the initial request, then processes the subsequent hidden data (e.g., <code>GET /admin</code>) as a completely new, unauthorized request, effectively bypassing HAProxy's <code>http-request</code> ACLs and gaining access to restricted paths.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2021-40346 leads to significant security breaches, primarily unauthorized access to restricted backend services and administrative interfaces (e.g., <code>/admin</code>). Organizations leveraging HAProxy as a reverse proxy or load balancer with <code>http-request</code> based ACLs are at risk. This vulnerability could allow attackers to bypass critical security controls designed to segregate network traffic or protect sensitive application endpoints. Depending on the backend application's functionality, this bypass could lead to further compromise, such as privilege escalation, data exfiltration, or complete system takeover. The availability of a public exploit increases the likelihood of widespread attacks against vulnerable systems.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately upgrade HAProxy installations to patched versions: 2.0.25, 2.2.17, 2.3.14, 2.4.4, or newer, to remediate CVE-2021-40346.</li>
<li>Implement defense-in-depth measures by ensuring backend applications have their own robust authentication and authorization logic, rather than solely relying on proxy ACLs.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>integer-overflow</category><category>http-smuggling</category><category>acl-bypass</category><category>haproxy</category><category>webserver</category></item></channel></rss>