CVE-2025-11230
📋 TL;DR
This vulnerability in HAProxy's mjson library allows remote attackers to cause denial of service through inefficient algorithm complexity when processing specially crafted JSON requests. Any HAProxy deployment using the mjson library for JSON parsing is affected, potentially impacting service availability.
💻 Affected Systems
- HAProxy
📦 What is this software?
Haproxy by Haproxy
Haproxy by Haproxy
Haproxy by Haproxy
Haproxy by Haproxy
Haproxy by Haproxy
Haproxy by Haproxy
⚠️ Risk & Real-World Impact
Worst Case
Complete service outage with HAProxy becoming unresponsive, affecting all traffic passing through the load balancer.
Likely Case
Degraded performance and intermittent service disruptions due to resource exhaustion from JSON parsing attacks.
If Mitigated
Minimal impact with proper rate limiting, input validation, and monitoring in place.
🎯 Exploit Status
Attack requires sending specially crafted JSON requests to trigger inefficient parsing algorithms.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check HAProxy advisory for specific patched versions
Vendor Advisory: https://www.haproxy.com/blog/october-2025-cve-2025-11230-haproxy-mjson-library-denial-of-service-vulnerability
Restart Required: Yes
Instructions:
1. Check current HAProxy version. 2. Update to patched version from official HAProxy repository. 3. Restart HAProxy service. 4. Verify fix is applied.
🔧 Temporary Workarounds
Rate Limit JSON Requests
linuxImplement rate limiting on endpoints processing JSON to reduce attack surface
# Configure in HAProxy frontend: stick-table type ip size 1m expire 30s store http_req_rate(10s)
# Add: tcp-request connection track-sc0 src
# Add: http-request deny if { src_http_req_rate gt 10 }
Input Validation Filter
linuxFilter or reject malformed JSON requests before they reach mjson parser
# In HAProxy configuration: acl is_json_content hdr_val(Content-Type) -i application/json
# Add: http-request deny if is_json_content !{ req.body_size lt 10000 }
🧯 If You Can't Patch
- Implement strict rate limiting and request size limits for JSON endpoints
- Deploy WAF with JSON parsing protection rules and monitor for anomalous request patterns
🔍 How to Verify
Check if Vulnerable:
Check if HAProxy version uses vulnerable mjson library by reviewing version against vendor advisoryCheck Version:
haproxy -vVerify Fix Applied:
Verify updated HAProxy version and test with normal JSON requests to ensure service remains responsive📡 Detection & Monitoring
Log Indicators:
- High CPU usage spikes
- Increased request timeouts
- Multiple malformed JSON request patterns
- HAProxy process becoming unresponsive
Network Indicators:
- Unusual volume of JSON requests from single sources
- Requests with nested/complex JSON structures
- Traffic patterns indicating DoS attempts
SIEM Query:
source="haproxy" AND ("timeout" OR "error" OR "deny") AND "json"