CVE-2025-11230

Denial of service vulnerability in HAProxy mjson library

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

Inefficient algorithm complexity in mjson in HAProxy allows remote attackers to cause a denial of service via specially crafted JSON requests.

A flaw was found in haproxy. A stemming from an inefficient algorithmic complexity issue within its bundled mjson parsing library. This vulnerability is triggered when haproxy is configured to analyze JSON content, such as with the json_query or jwt_payload_query function

Oula Kivalo reported that HAProxy, a fast and reliable load balancing reverse proxy, is prone to a denial of service vulnerability when parsing JSON numbers. For the oldstable distribution (bookworm), this problem has been fixed in version 2.6.12-1+deb12u3. For the stable distribution (trixie), this problem has been fixed in version 3.0.11-1+deb13u1.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2025-10-01 CVE Reserved
2025-10-03 CVE Published
2025-11-19 CVE Updated
2025-11-19 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-407: Inefficient Algorithmic Complexity

CAPEC

CAPEC-130: Excessive Allocation

References (3)

URL	Tag	Source
https://www.haproxy.com/blog/october-2025-cve-2025-11230-haproxy-mjson-library-denial-of-service-vulnerability

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2025-11230	2025-11-18
https://bugzilla.redhat.com/show_bug.cgi?id=2413003	2025-11-18

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
HAProxy Technologies Search vendor "HAProxy Technologies"		HAProxy Community Edition Search vendor "HAProxy Technologies" for product "HAProxy Community Edition"				>= 2.4.0 < 2.4.30 Search vendor "HAProxy Technologies" for product "HAProxy Community Edition" and version " >= 2.4.0 < 2.4.30"		en		Affected
HAProxy Technologies Search vendor "HAProxy Technologies"		HAProxy Community Edition Search vendor "HAProxy Technologies" for product "HAProxy Community Edition"				>= 2.6.0 < 2.6.23 Search vendor "HAProxy Technologies" for product "HAProxy Community Edition" and version " >= 2.6.0 < 2.6.23"		en		Affected
HAProxy Technologies Search vendor "HAProxy Technologies"		HAProxy Community Edition Search vendor "HAProxy Technologies" for product "HAProxy Community Edition"				>= 2.8.0 < 2.8.16 Search vendor "HAProxy Technologies" for product "HAProxy Community Edition" and version " >= 2.8.0 < 2.8.16"		en		Affected
HAProxy Technologies Search vendor "HAProxy Technologies"		HAProxy Community Edition Search vendor "HAProxy Technologies" for product "HAProxy Community Edition"				>= 3.0.0 < 3.0.12 Search vendor "HAProxy Technologies" for product "HAProxy Community Edition" and version " >= 3.0.0 < 3.0.12"		en		Affected
HAProxy Technologies Search vendor "HAProxy Technologies"		HAProxy Community Edition Search vendor "HAProxy Technologies" for product "HAProxy Community Edition"				>= 3.1.0 < 3.1.9 Search vendor "HAProxy Technologies" for product "HAProxy Community Edition" and version " >= 3.1.0 < 3.1.9"		en		Affected
HAProxy Technologies Search vendor "HAProxy Technologies"		HAProxy Community Edition Search vendor "HAProxy Technologies" for product "HAProxy Community Edition"				>= 3.2.0 < 3.2.6 Search vendor "HAProxy Technologies" for product "HAProxy Community Edition" and version " >= 3.2.0 < 3.2.6"		en		Affected