Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

HAProxy Vulnerability Leads to HTTP Request Smuggling

A critical security vulnerability in HAProxy could allow attackers to bypass security controls and access sensitive data without authorization, according to a warning from security research outfit JFrog.

A critical security vulnerability in HAProxy could allow attackers to bypass security controls and access sensitive data without authorization, according to a warning from security research outfit JFrog.

An attacker could exploit the vulnerability – tracked as CVE-2021-40346 (CVSS score of 8.6) – to bypass duplicate HTTP Content-Length header checks. Thus, the attacker could smuggle HTTP requests to the backend server without the proxy server noticing it, or launch a response-splitting attack.

“Our analysis confirmed that the duplication is achieved by making use of the memory layout of HAProxy’s internal representation of an HTTP message to slip a select character from the header’s name to its value. Due to the difficulty in executing such an attack, the risk is low,” according to an HAProxy advisory.

Researchers with JFrog Security, the company credited with discovering the bug, describe the issue as integer overflow in the HAProxy’s parsing of HTTP requests. Specifically, it affects the logic related to the processing of Content-Length headers, in the line responsible for setting a header’s name and value lengths.  

[ READ: Researcher Discovers New HTTP Request Smuggling Attack Variants ]

In an HTTP request smuggling attack, an adversary targets the HTTP requests between the frontend and backend servers by sending specially crafted requests containing an additional request. This results in the inner request being smuggled through the frontend, mainly because the same established TCP connection is used to forward the requests to the backend.

JFrog researchers crafted a POST request that contains a GET request in its body. Because of the manner in which the POST request’s header is created, HAProxy ends up forwarding it to the backend server with a value length of 0, meaning that it has no body.

The backend server then parses the request as having no body, and then expects to receive the next request on the same connection. Thus, the GET request that was in fact the POST’s body is treated as a legitimate request, resulting in bypassing HAProxy’s ACL filtering.

“HAProxy is only aware of a single HTTP request being forwarded and thus only returns a single HTTP response (the first) from the backend server back to the client,” according to JFrog’s documentation of the problem.

HAProxy versions 2.0.25, 2.2.17, 2.3.14 or 2.4.4 address the issue with size checks for both name and value lengths. Thus, it is recommended to update HAProxy as soon as possible. Workarounds to mitigate the issue are available as well, if updating isn’t possible.

Related: Researcher Discovers New HTTP Request Smuggling Attack Variants

Related: Researchers Reproduce Exploit Used in Kaseya Hack

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.