{"id":"CVE-2023-40225","details":"HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request.","aliases":["BIT-haproxy-2023-40225"],"modified":"2026-05-18T05:57:08.188538577Z","published":"2023-08-10T00:00:00Z","related":["ALSA-2024:1142","CGA-54g5-xw2p-2xch","SUSE-SU-2023:3469-1","SUSE-SU-2023:3490-1","SUSE-SU-2023:4646-1","openSUSE-SU-2024:13116-1"],"database_specific":{"cna_assigner":"mitre","unresolved_ranges":[{"source":"DESCRIPTION","extracted_events":[{"fixed":"2.0.32"},{"introduced":"2.2.x"},{"fixed":"2.2.30"},{"introduced":"2.4.x"},{"fixed":"2.4.23"},{"introduced":"2.6.x"},{"fixed":"2.6.15"}]}],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/40xxx/CVE-2023-40225.json"},"references":[{"type":"WEB","url":"https://cwe.mitre.org/data/definitions/436.html"},{"type":"WEB","url":"https://www.haproxy.org/download/2.6/src/CHANGELOG"},{"type":"WEB","url":"https://www.haproxy.org/download/2.7/src/CHANGELOG"},{"type":"WEB","url":"https://www.haproxy.org/download/2.8/src/CHANGELOG"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/40xxx/CVE-2023-40225.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-40225"},{"type":"REPORT","url":"https://github.com/haproxy/haproxy/issues/2237"},{"type":"FIX","url":"https://github.com/haproxy/haproxy/commit/6492f1f29d738457ea9f382aca54537f35f9d856"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/haproxy/haproxy","events":[{"introduced":"fdd8154ed37fef7f351075caa357917f94704dd7"},{"fixed":"0f29b34e0a06cdd59ae2278d33c16f63ca435468"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-40225.json"}}],"schema_version":"1.7.5"}