Security Vulnerability Report
中文
CVE-2026-33555 CVSS 4.0 MEDIUM

CVE-2026-33555

Published: 2026-04-13 17:16:28
Last Modified: 2026-04-22 19:17:02
Source: [email protected]

Description

An issue was discovered in HAProxy before 3.3.6. The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame with an empty payload. This can cause desynchronization issues with the backend server and could be used for request smuggling. The earliest affected version is 2.6.

CVSS Details

CVSS Score
4.0
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

HAProxy 2.6
HAProxy 2.7
HAProxy 2.8
HAProxy 2.9
HAProxy 3.0
HAProxy 3.1
HAProxy 3.2
HAProxy 3.3.0 - 3.3.5

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import socket import ssl # This is a conceptual PoC for HTTP/3 Request Smuggling in HAProxy. # Actual exploitation requires a QUIC library implementation (e.g., aioquic). def send_smuggling_request(target_host, target_port): # In a real scenario, construct a QUIC stream with: # 1. A HEADERS frame containing "Content-Length: 100" # 2. A DATA frame with 0 bytes payload but the FIN stream flag set. # 3. This causes HAProxy to expect 100 bytes but receive 0, triggering desync. print(f"[*] Targeting {target_host}:{target_port}") print("[*] Sending malicious HTTP/3 stream with CL mismatch...") # Pseudo-code for the packet logic headers = { ":method": "POST", ":path": "/", "content-length": "100" # Announce length } body_payload = b"" # Empty payload fin_flag = True # Close stream immediately # The vulnerability is that HAProxy does not check: len(body_payload) == headers['content-length'] # when fin_flag is True. print("[+] Request sent. Backend desynchronization possible.") if __name__ == "__main__": send_smuggling_request("example.com", 443)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-33555", "sourceIdentifier": "[email protected]", "published": "2026-04-13T17:16:28.237", "lastModified": "2026-04-22T19:17:02.273", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in HAProxy before 3.3.6. The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame with an empty payload. This can cause desynchronization issues with the backend server and could be used for request smuggling. The earliest affected version is 2.6."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N", "baseScore": 4.0, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-130"}]}], "references": [{"url": "https://github.com/haproxy/haproxy/commit/05a295441c621089ffa4318daf0dbca2dd756a84", "source": "[email protected]"}, {"url": "https://r3verii.github.io/cve/2026/04/14/haproxy-h3-standalone-fin-smuggling.html", "source": "[email protected]"}, {"url": "https://www.haproxy.com/documentation/haproxy-aloha/changelog/", "source": "[email protected]"}, {"url": "https://www.haproxy.org", "source": "[email protected]"}, {"url": "https://www.mail-archive.com/[email protected]/msg46752.html", "source": "[email protected]"}, {"url": "https://r3verii.github.io/cve/2026/04/14/haproxy-h3-standalone-fin-smuggling.html", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.