CVE-2024-45506 Overview
CVE-2024-45506 is a denial of service vulnerability affecting HAProxy versions 2.9.x before 2.9.10, 3.0.x before 3.0.4, and 3.1.x through 3.1-dev6. The vulnerability exists in the HTTP/2 zero-copy forwarding mechanism, specifically within the h2_send loop, which under certain conditions can be exploited by remote attackers to cause service disruption. This vulnerability has been confirmed as exploited in the wild during 2024.
Critical Impact
Remote attackers can exploit this vulnerability to cause denial of service against HAProxy instances, disrupting load balancing and reverse proxy services for web applications and infrastructure.
Affected Products
- HAProxy 2.9.x versions before 2.9.10
- HAProxy 3.0.x versions before 3.0.4
- HAProxy 3.1.x through 3.1-dev6 (including dev0 through dev5)
Discovery Timeline
- 2024-09-04 - CVE-2024-45506 published to NVD
- 2025-03-14 - Last updated in NVD database
Technical Details for CVE-2024-45506
Vulnerability Analysis
This vulnerability is classified as CWE-835 (Loop with Unreachable Exit Condition), commonly known as an infinite loop vulnerability. The flaw resides in HAProxy's HTTP/2 implementation, specifically in the zero-copy forwarding feature that was introduced to optimize data transfer performance. Under specific conditions, the h2_send function can enter a loop state that never terminates, effectively consuming CPU resources and preventing the HAProxy instance from processing legitimate requests.
The zero-copy forwarding mechanism is designed to efficiently transfer data between connections without copying it through userspace buffers. However, a logic error in handling certain HTTP/2 frame sequences causes the send loop to fail to exit properly, resulting in resource exhaustion.
Root Cause
The root cause is an infinite loop condition (CWE-835) in the HTTP/2 zero-copy forwarding implementation. When processing specific HTTP/2 frame patterns, the h2_send loop lacks proper exit conditions, causing it to continue iterating indefinitely. This loop with unreachable exit condition prevents proper flow control and ultimately leads to service unavailability.
Attack Vector
The attack can be initiated remotely over the network without requiring authentication or user interaction. An attacker sends specially crafted HTTP/2 requests that trigger the problematic code path in the h2_send function. Since HAProxy is typically deployed as a front-facing load balancer or reverse proxy, successful exploitation can impact availability of all services behind the affected HAProxy instance.
The vulnerability requires the HTTP/2 protocol to be enabled and the zero-copy forwarding feature to be active. Attackers can exploit this condition by establishing HTTP/2 connections and sending request patterns that trigger the infinite loop behavior.
Detection Methods for CVE-2024-45506
Indicators of Compromise
- Unusual CPU utilization spikes on HAProxy instances without corresponding increases in legitimate traffic
- HAProxy processes becoming unresponsive while still showing as running
- HTTP/2 connection timeouts or failures reported by backend services and clients
- Sustained high CPU consumption specifically in HAProxy worker processes
Detection Strategies
- Monitor HAProxy process CPU usage for anomalous sustained high utilization patterns
- Implement alerting on HTTP/2 connection handling latency exceeding normal thresholds
- Review HAProxy logs for unusual HTTP/2 frame sequences or connection patterns
- Deploy network-level monitoring to detect suspicious HTTP/2 traffic patterns targeting HAProxy instances
Monitoring Recommendations
- Configure resource monitoring with alerts for HAProxy CPU usage exceeding baseline thresholds
- Enable HAProxy debug logging for HTTP/2 connections during investigation periods
- Monitor backend server health checks for failures that may indicate HAProxy unavailability
- Track HTTP/2 connection establishment rates and durations for anomaly detection
How to Mitigate CVE-2024-45506
Immediate Actions Required
- Upgrade HAProxy 2.9.x installations to version 2.9.10 or later
- Upgrade HAProxy 3.0.x installations to version 3.0.4 or later
- Upgrade HAProxy 3.1-dev installations to 3.1-dev7 or later
- Review and apply security patches from the HAProxy Commit Repository
Patch Information
HAProxy has released patches addressing this vulnerability. The fixes are available in versions 2.9.10, 3.0.4, and subsequent releases. Organizations should prioritize patching as this vulnerability has been exploited in the wild. Detailed patch information can be found in the HAProxy 3.1 Changelog and through the HAProxy mailing list announcements.
Workarounds
- If immediate patching is not possible, consider temporarily disabling HTTP/2 support and falling back to HTTP/1.1
- Implement rate limiting on incoming HTTP/2 connections at the network perimeter
- Deploy redundant HAProxy instances behind a health-checking mechanism to maintain availability
- Monitor HAProxy instances closely and automate restart procedures for unresponsive processes
# Disable HTTP/2 in HAProxy frontend configuration (temporary workaround)
# Edit haproxy.cfg and modify frontend section
frontend www
bind *:443 ssl crt /etc/ssl/certs/cert.pem alpn h2,http/1.1
# Change to disable HTTP/2:
# bind *:443 ssl crt /etc/ssl/certs/cert.pem alpn http/1.1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
