Request Smuggling Vulnerability in HAProxy HTTP/3 Parser
CVE-2026-33555
Key Information:
Badges
What is CVE-2026-33555?
CVE-2026-33555 is a significant vulnerability found in HAProxy, a widely-used software for load balancing and proxying web traffic. Specifically, this flaw exists within the HTTP/3 parser in versions prior to 3.3.6 and stems from a failure to verify that the declared content-length of a received HTTP body aligns with actual body length when the stream is concluded by an empty payload frame. This shortfall can lead to desynchronization between the HAProxy and the backend server, enabling a type of attack referred to as request smuggling. This can disrupt normal operations and potentially allow attackers to manipulate requests in a manner that could compromise back-end services, leading to unauthorized access or data manipulation.
Potential impact of CVE-2026-33555
-
Request Smuggling Attacks: The vulnerability allows attackers to interfere with the normal request flow, potentially leading to unauthorized interception and modification of requests sent to the back-end server. This can result in severe impacts on system integrity and confidentiality.
-
Service Disruption: Exploiting this vulnerability could lead to desynchronization issues, which might result in service outages or degradation, affecting the availability of web services reliant on HAProxy for load balancing.
-
Risk of Further Exploitation: Given the nature of request smuggling, successful exploitation might provide an entry point for more complex attacks, such as remote code execution or the insertion of malicious payloads, thereby increasing the overall risk profile for organizations utilizing affected versions of HAProxy.
Affected Version(s)
HAProxy 2.6 < 3.3.6
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.