DescriptionHTTP request/response smuggling vulnerability in HAProxy version 2.7.0, and 2.6.1 to 2.6.7 allows a remote attacker to alter a legitimate user's request. As a result, the attacker may obtain sensitive information or cause a denial-of-service (DoS) condition.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
haproxy (PTS)buster1.8.19-1+deb10u3fixed
buster (security)1.8.19-1+deb10u5fixed
bullseye (security), bullseye2.2.9-2+deb11u6fixed
bookworm, bookworm (security)2.6.12-1+deb12u1fixed
sid, trixie2.9.5-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
haproxysourcebuster(not affected)
haproxysourcebullseye(not affected)


[bullseye] - haproxy <not-affected> (Vulnerable code not present)
[buster] - haproxy <not-affected> (Vulnerable code not present);a=commit;h=3ca4223c5e1f18a19dc93b0b09ffdbd295554d46 (v2.7.1);a=commit;h=22b44d5f2c7ce1ed0e4b62c639991d5abbd42a50 (v2.6.8)

Search for package or bug name: Reporting problems