VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-9xxa-rrnt-zuaw

Essentials
Severities (23)
References (23)
Severity details (9)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-9xxa-rrnt-zuaw
Aliases	CVE-2023-40225
Summary	HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request.
Status	Published
Exploitability	0.5
Weighted Severity	6.8
Risk	3.4
Affected and Fixed Packages	Package Details

Weaknesses (2)

CWE-20	Improper Input Validation
CWE-444	Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

System	Score	Found at
cvssv3	7.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-40225.json
epss	0.00032	https://api.first.org/data/v1/epss?cve=CVE-2023-40225
epss	0.00032	https://api.first.org/data/v1/epss?cve=CVE-2023-40225
epss	0.00032	https://api.first.org/data/v1/epss?cve=CVE-2023-40225
epss	0.00032	https://api.first.org/data/v1/epss?cve=CVE-2023-40225
epss	0.00032	https://api.first.org/data/v1/epss?cve=CVE-2023-40225
epss	0.00032	https://api.first.org/data/v1/epss?cve=CVE-2023-40225
epss	0.00032	https://api.first.org/data/v1/epss?cve=CVE-2023-40225
epss	0.00032	https://api.first.org/data/v1/epss?cve=CVE-2023-40225
epss	0.00032	https://api.first.org/data/v1/epss?cve=CVE-2023-40225
epss	0.00032	https://api.first.org/data/v1/epss?cve=CVE-2023-40225
epss	0.00032	https://api.first.org/data/v1/epss?cve=CVE-2023-40225
epss	0.00032	https://api.first.org/data/v1/epss?cve=CVE-2023-40225
epss	0.00032	https://api.first.org/data/v1/epss?cve=CVE-2023-40225
epss	0.00032	https://api.first.org/data/v1/epss?cve=CVE-2023-40225
ssvc	Track	https://cwe.mitre.org/data/definitions/436.html
cvssv3.1	5.9	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
ssvc	Track	https://github.com/haproxy/haproxy/commit/6492f1f29d738457ea9f382aca54537f35f9d856
ssvc	Track	https://github.com/haproxy/haproxy/issues/2237
cvssv3.1	7.2	https://nvd.nist.gov/vuln/detail/CVE-2023-40225
ssvc	Track	https://www.haproxy.org/download/2.6/src/CHANGELOG
ssvc	Track	https://www.haproxy.org/download/2.7/src/CHANGELOG
ssvc	Track	https://www.haproxy.org/download/2.8/src/CHANGELOG

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-40225.json
		https://api.first.org/data/v1/epss?cve=CVE-2023-40225
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40225
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45539
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
1043502		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1043502
2231370		https://bugzilla.redhat.com/show_bug.cgi?id=2231370
2237		https://github.com/haproxy/haproxy/issues/2237
436.html		https://cwe.mitre.org/data/definitions/436.html
6492f1f29d738457ea9f382aca54537f35f9d856		https://github.com/haproxy/haproxy/commit/6492f1f29d738457ea9f382aca54537f35f9d856
CHANGELOG		https://www.haproxy.org/download/2.6/src/CHANGELOG
CHANGELOG		https://www.haproxy.org/download/2.7/src/CHANGELOG
CHANGELOG		https://www.haproxy.org/download/2.8/src/CHANGELOG
cpe:2.3:a:haproxy:haproxy::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:haproxy:haproxy::::::::
CVE-2023-40225		https://nvd.nist.gov/vuln/detail/CVE-2023-40225
RHSA-2023:7473		https://access.redhat.com/errata/RHSA-2023:7473
RHSA-2023:7606		https://access.redhat.com/errata/RHSA-2023:7606
RHSA-2024:0200		https://access.redhat.com/errata/RHSA-2024:0200
RHSA-2024:0308		https://access.redhat.com/errata/RHSA-2024:0308
RHSA-2024:1089		https://access.redhat.com/errata/RHSA-2024:1089
RHSA-2024:1142		https://access.redhat.com/errata/RHSA-2024:1142
USN-6294-1		https://usn.ubuntu.com/6294-1/
USN-6294-2		https://usn.ubuntu.com/6294-2/

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-40225.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-09T20:14:21Z/ Found at https://cwe.mitre.org/data/definitions/436.html

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-09T20:14:21Z/ Found at https://github.com/haproxy/haproxy/commit/6492f1f29d738457ea9f382aca54537f35f9d856

Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-09T20:14:21Z/ Found at https://github.com/haproxy/haproxy/issues/2237

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-40225

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-09T20:14:21Z/ Found at https://www.haproxy.org/download/2.6/src/CHANGELOG

Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-09T20:14:21Z/ Found at https://www.haproxy.org/download/2.7/src/CHANGELOG

Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-09T20:14:21Z/ Found at https://www.haproxy.org/download/2.8/src/CHANGELOG

Exploit Prediction Scoring System (EPSS)

Percentile	0.07663
EPSS Score	0.00032
Published At	June 30, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-01T12:16:12.198119+00:00	Ubuntu USN Importer	Import	https://usn.ubuntu.com/6294-2/	36.1.3