Total vulnerabilities in the database
HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request.
| Software | From | Fixed in |
|---|---|---|
| haproxy / haproxy | - | 2.0.32.x |
| haproxy / haproxy | 2.4.0 | 2.4.23.x |
| haproxy / haproxy | 2.2.0 | 2.2.30.x |
| haproxy / haproxy | 2.8.0 | 2.8.2 |
| haproxy / haproxy | 2.7.0 | 2.7.10 |
| haproxy / haproxy | 2.5.0 | 2.6.15 |