CVE-2023-45539 Overview
CVE-2023-45539 is a vulnerability in HAProxy before version 2.8.2 that involves improper handling of the hash character (#) as part of the URI component. This flaw can allow remote attackers to obtain sensitive information or cause unspecified impact through misinterpretation of path_end rules. For example, an attacker could craft a request like index.html#.png that bypasses routing rules designed to direct .png files to a static server, potentially exposing backend services or sensitive data that should be protected.
Critical Impact
Remote attackers can bypass HAProxy ACL rules by exploiting URI fragment handling, potentially accessing sensitive resources or backend services that should be protected by path-based routing rules.
Affected Products
- HAProxy versions prior to 2.8.2
- HAProxy installations using path_end ACL rules for routing decisions
- Debian-based systems running vulnerable HAProxy packages
Discovery Timeline
- 2023-11-28 - CVE CVE-2023-45539 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-45539
Vulnerability Analysis
This vulnerability stems from HAProxy's acceptance of the hash character (#) within the URI component during request processing. According to HTTP specifications, the fragment identifier (everything after #) should be client-side only and not sent to servers. However, HAProxy's handling of this character creates an inconsistency that attackers can exploit.
When HAProxy processes path-based ACL rules such as path_end, the presence of a # character in the URI can cause the rule to evaluate against an unexpected portion of the path. This means routing decisions based on file extensions or path endings may be bypassed, leading to requests being forwarded to unintended backend servers.
The vulnerability has network-based attack vector characteristics, requiring no authentication or user interaction for exploitation. An attacker can remotely exploit this flaw by crafting malicious HTTP requests with specially constructed URIs containing the # character to circumvent security controls.
Root Cause
The root cause is improper encoding/escaping of special characters (CWE-116) in HAProxy's URI parsing logic. The # character, which traditionally denotes a fragment identifier in URIs, is accepted as part of the path component rather than being properly rejected or normalized. This creates a semantic mismatch between how HAProxy interprets the URI and how path-based ACL rules evaluate request routing.
Attack Vector
The attack exploits the network-accessible HAProxy service by sending crafted HTTP requests. An attacker constructs a URI that includes a # character followed by a file extension that matches a routing rule. For instance, a request to index.html#.png could bypass a path_end .png rule that normally routes static images to a designated backend server.
The attacker can leverage this technique to:
- Access resources that should be served by different backends
- Bypass path-based access control lists
- Potentially expose sensitive application data or administrative interfaces
- Circumvent security policies that rely on file extension-based routing
The vulnerability affects the URI path parsing mechanism in HAProxy. When a path_end rule is configured to match requests ending in a specific extension like .png, an attacker can append #.png to any request path. HAProxy may interpret this as matching the rule, even though the actual requested resource has a different extension. See the HAProxy Commit Update for technical details on the fix.
Detection Methods for CVE-2023-45539
Indicators of Compromise
- HTTP access logs showing requests with # characters in URI paths
- Unusual routing of requests to backend servers not matching the expected file extensions
- Access attempts to sensitive resources with appended fragment-like patterns (e.g., file.php#.png)
- Backend servers receiving requests that should have been filtered by path-based ACLs
Detection Strategies
- Monitor HAProxy access logs for URI patterns containing # followed by file extensions
- Implement log analysis rules to detect requests where the apparent extension differs from the routing destination
- Deploy web application firewalls (WAF) to flag or block requests with suspicious URI fragment patterns
- Review HAProxy configurations for path_end rules that may be vulnerable to bypass
Monitoring Recommendations
- Enable detailed logging in HAProxy to capture full request URIs including special characters
- Set up alerts for anomalous backend routing decisions that don't match expected patterns
- Implement periodic audits of HAProxy ACL rule effectiveness using test requests
- Monitor for reconnaissance activity that may indicate attackers probing for this vulnerability
How to Mitigate CVE-2023-45539
Immediate Actions Required
- Upgrade HAProxy to version 2.8.2 or later immediately
- Review all path_end and similar path-based ACL rules in HAProxy configurations
- Audit access logs for potential exploitation attempts prior to patching
- Consider implementing additional input validation at the application layer as defense-in-depth
Patch Information
HAProxy has addressed this vulnerability in version 2.8.2. The fix properly handles the # character in URI parsing to prevent ACL bypass. Organizations should update to the latest HAProxy version available for their deployment. Debian users should refer to the Debian LTS Announcement for package updates. Additional technical context is available in the HAProxy Mailing List Discussion and the W3C HTTP Working Group Minutes.
Workarounds
- Implement URL normalization at the load balancer or WAF level to strip or reject URIs containing # characters
- Add explicit ACL rules to deny requests containing # in the path before routing evaluation
- Use path_reg with strict regular expressions instead of path_end for critical routing decisions
- Deploy backend application-level validation to enforce expected request patterns
# HAProxy configuration workaround - reject requests with # in URI
acl uri_has_fragment path_sub #
http-request deny if uri_has_fragment
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
