CVE-2025-32464
📋 TL;DR
HAProxy versions 2.2 through 3.1.6 have a heap-based buffer overflow vulnerability in the sample_conv_regsub function when configured with certain uncommon pattern replacement rules. This allows attackers to potentially execute arbitrary code or cause denial of service. Only HAProxy instances with specific regex-based configuration rules are affected.
💻 Affected Systems
- HAProxy
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, allowing attackers to gain shell access on the HAProxy server.
Likely Case
Denial of service causing HAProxy to crash, disrupting traffic proxying and load balancing services.
If Mitigated
Limited impact due to uncommon configuration requirement, with potential for service disruption but not system compromise.
🎯 Exploit Status
Exploitation requires knowledge of specific regex patterns in configuration and ability to send crafted requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: HAProxy 3.1.7 and later
Vendor Advisory: https://github.com/haproxy/haproxy/commit/3e3b9eebf871510aee36c3a3336faac2f38c9559
Restart Required: Yes
Instructions:
1. Download HAProxy 3.1.7 or later from haproxy.org. 2. Compile and install the new version. 3. Replace configuration files. 4. Restart HAProxy service.
🔧 Temporary Workarounds
Disable vulnerable regex patterns
allRemove or modify regex patterns in configuration that use sample_conv_regsub with multiple short pattern replacements.
Review haproxy.cfg for 'sample_conv_regsub' usage
Comment out or modify vulnerable regex patterns
🧯 If You Can't Patch
- Implement network segmentation to limit access to HAProxy management interfaces
- Deploy WAF or reverse proxy in front of HAProxy to filter malicious requests
🔍 How to Verify
Check if Vulnerable:
Check HAProxy version and review configuration for sample_conv_regsub usage with regex patterns.Check Version:
haproxy -vVerify Fix Applied:
Verify HAProxy version is 3.1.7 or later and test regex pattern functionality.📡 Detection & Monitoring
Log Indicators:
- HAProxy crashes or segmentation faults
- Unusual memory usage patterns
- Failed regex processing errors
Network Indicators:
- Unusual traffic patterns triggering specific regex rules
- Requests crafted to trigger pattern replacements
SIEM Query:
source="haproxy.log" AND ("segmentation fault" OR "buffer overflow" OR "sample_conv_regsub")