How severe is CVE-2023-25725?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.1 out of 10.

What type of vulnerability is CVE-2023-25725?

This is classified as CWE-444, which is a common weakness in software security.

CVE-2023-25725 - CRITICAL Severity | CVSS 9.1

Vulnerability Description

HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka "request smuggling." The HTTP header parsers in HAProxy may accept empty header field names, which could be used to truncate the list of HTTP headers and thus make some headers disappear after being parsed and processed for HTTP/1.0 and HTTP/1.1. For HTTP/2 and HTTP/3, the impact is limited because the headers disappear before being parsed and processed, as if they had not been sent by the client. The fixed versions are 2.7.3, 2.6.9, 2.5.12, 2.4.22, 2.2.29, and 2.0.31.

Related Vulnerabilities

CVE-2018-21245

CRITICAL

CVSS:9.1(Critical)

Pound before 2.8 allows HTTP request smuggling, a related issue to CVE-2016-10711.

CWE-4442018

CVE-2018-3907

CRITICAL

CVSS:9.1(Critical)

An exploitable vulnerability exists in the REST parser of video-core's HTTP server of the Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. The video-core process incorrectly handles pip...

CWE-4442018

CVE-2018-3908

CRITICAL

CVSS:9.1(Critical)

An exploitable vulnerability exists in the REST parser of video-core's HTTP server of the Samsung SmartThings Hub STH-ETH-250-Firmware version 0.20.17. The video-core process incorrectly handles pipel...

CWE-4442018

CVE-2018-3909

CRITICAL

CVSS:9.1(Critical)

CWE-4442018

CVE-2019-20444

CRITICAL

CVSS:9.1(Critical)

HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid...

CWE-4442019

CVE-2019-20445

CRITICAL

CVSS:9.1(Critical)

HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.

CWE-4442019