Denial of service vulnerability in HAProxy mjson library
a day ago
- #Vulnerability
- #HAProxy
- #Security
- HAProxy Technologies addressed a high severity denial of service vulnerability (CVE-2025-11230).
- The vulnerability stems from an Inefficient Algorithm Complexity (CWE-407) in the mjson library, a dependency of HAProxy.
- Specially crafted JSON requests with large values can exploit this vulnerability, causing HAProxy's watchdog to terminate the process.
- Affected configurations include all current versions of HAProxy, including Community Edition, Enterprise, ALOHA appliances, and Kubernetes Ingress Controller.
- Recommended action is to upgrade to the latest version if using JSON parsing functions: json_query(), jwt_header_query(), jwt_payload_query().
- No workaround is available other than updating HAProxy.
- CVSSv3 Score: 7.5 (HIGH).
- The vulnerability involves processing extremely large numbers in JSON requests, leading to denial of service.
- Fixed versions have been released, and users are urged to upgrade immediately.
- No configuration-based remediation exists; the only solution is to update to a fixed version.