Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close


Published: 10 August 2023

HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request.


affected content-length headers parses were added in
v1.9, with HTX mode. legacy mode in v2.0 and before has the correct check.
hence, Ubuntu releases older than focal are not affected.
there is a followup commit to handle a specific corner
case where leading zeroes on content-length are being preserved, and a
bogus server could take it as a prefix, that being commit 22731762.
upstream stated that the leading zeroes situation can still happen in
versions older than v1.9, it could be addressed in v2.0+ (with HTX) but
it is not feasible for older versions due to the way values are indexed.
(more information on bug link)


frontend can reject requests with empty content-length header with the
following rule
 http-request deny if { hdr_len(content-length) 0 }



Cvss 3 Severity Score


Score breakdown

Severity score breakdown

Parameter Value
Base score 7.2
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Changed
Confidentiality Low
Integrity impact Low
Availability impact None
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N