CVE-2025-11230 Overview
CVE-2025-11230 is an algorithmic complexity vulnerability in the mjson library used by HAProxy that allows remote attackers to cause a denial of service through specially crafted JSON requests. The vulnerability stems from inefficient algorithm complexity (CWE-407) in the JSON parsing component, which can be exploited by sending malicious JSON payloads that trigger excessive computational resource consumption.
HAProxy is a widely deployed high-availability load balancer and proxy server that handles critical traffic for enterprise applications. This vulnerability affects multiple HAProxy product lines including the open-source HAProxy, HAProxy Enterprise, HAProxy ALOHA Appliance, and the Kubernetes Ingress Controller, making it a significant concern for organizations relying on HAProxy for their infrastructure.
Critical Impact
Remote attackers can cause service disruption by sending specially crafted JSON requests that exploit inefficient parsing algorithms, potentially taking down load balancing infrastructure and affecting backend service availability.
Affected Products
- HAProxy (multiple versions)
- HAProxy Enterprise (versions 2.4r1, 2.6r1, 2.8r1, 3.0r1, 3.1r1)
- HAProxy ALOHA Appliance
- HAProxy Kubernetes Ingress Controller (Community and Enterprise editions)
Discovery Timeline
- 2025-11-19 - CVE-2025-11230 published to NVD
- 2025-12-19 - Last updated in NVD database
Technical Details for CVE-2025-11230
Vulnerability Analysis
The vulnerability exists in HAProxy's mjson library, a lightweight JSON parsing component. When processing JSON input, the mjson parser employs an algorithm with suboptimal time complexity that becomes problematic when handling specially crafted input. An attacker can construct malicious JSON payloads designed to maximize parsing time, consuming excessive CPU cycles on the HAProxy server.
This type of algorithmic complexity attack (CWE-407) differs from traditional resource exhaustion attacks in that it doesn't require large volumes of traffic. Instead, a relatively small number of carefully crafted requests can monopolize server resources. The vulnerability is particularly concerning given HAProxy's role as a front-line component handling incoming traffic before it reaches backend services.
Since HAProxy operates at the network edge and must parse JSON in certain configurations (such as when performing content-based routing or health checks), the attack surface is directly exposed to remote, unauthenticated attackers.
Root Cause
The root cause is inefficient algorithm complexity in the mjson JSON parsing library. Certain JSON structures cause the parsing algorithm to exhibit worst-case time complexity behavior, where parsing time increases disproportionately relative to input size. This allows attackers to craft compact payloads that require extensive processing time, effectively creating an asymmetric attack where minimal attacker resources cause maximal server impact.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker sends HTTP requests containing specially crafted JSON payloads to HAProxy endpoints that perform JSON parsing. The malicious JSON structures are designed to trigger worst-case algorithmic behavior in the mjson library, causing the HAProxy process to spend excessive CPU time parsing the request.
The attack can be launched remotely against any HAProxy instance that processes JSON content, including:
- HAProxy configurations using JSON-based content switching rules
- HAProxy Data Plane API endpoints
- Health check endpoints parsing JSON responses
- Any custom Lua scripts that invoke JSON parsing
The availability impact is high as successful exploitation can render the HAProxy instance unresponsive, disrupting traffic to all backend services.
Detection Methods for CVE-2025-11230
Indicators of Compromise
- Unusual spike in CPU utilization on HAProxy servers without corresponding increase in legitimate traffic
- Elevated request processing times for JSON-containing requests
- HAProxy process becoming unresponsive or timing out
- Increased queue depth and connection backlog in HAProxy statistics
- Repeated requests with unusually complex or deeply nested JSON structures from single sources
Detection Strategies
- Monitor HAProxy process CPU usage and alert on sustained high utilization
- Implement request timeout thresholds and log requests exceeding normal parsing duration
- Configure HAProxy logging to capture request body sizes and processing times for analysis
- Deploy network-level monitoring to detect anomalous JSON payload patterns
- Utilize SentinelOne's Singularity platform to monitor for abnormal process behavior indicative of DoS attacks
Monitoring Recommendations
- Enable detailed HAProxy logging including request processing timestamps
- Configure alerting for HAProxy health check failures or service degradation
- Monitor connection queue metrics via the HAProxy stats interface
- Implement application-level health checks that validate response time latency
- Review access logs for patterns of repeated complex JSON requests from suspicious sources
How to Mitigate CVE-2025-11230
Immediate Actions Required
- Update HAProxy to the latest patched version addressing CVE-2025-11230
- Review HAProxy configuration to identify components that perform JSON parsing
- Implement rate limiting on endpoints that accept JSON input
- Configure maximum request body size limits to constrain JSON payload sizes
- Consider temporarily disabling non-essential JSON processing features until patches are applied
Patch Information
HAProxy has released security updates addressing this vulnerability. Organizations should consult the HAProxy Blog CVE-2025-11230 Analysis for detailed patch information and affected version lists. Updates are available for:
- HAProxy open-source versions
- HAProxy Enterprise versions (2.4r1, 2.6r1, 2.8r1, 3.0r1, 3.1r1 branches)
- HAProxy ALOHA Appliance
- HAProxy Kubernetes Ingress Controller (Community and Enterprise)
It is critical to update all HAProxy deployments, including Kubernetes ingress controllers and appliance-based installations.
Workarounds
- Implement request body size limits via tune.bufsize to constrain maximum JSON payload size
- Deploy a Web Application Firewall (WAF) in front of HAProxy to filter malicious JSON patterns
- Configure aggressive connection timeouts using timeout http-request to limit parsing duration
- Disable JSON parsing features if not required by your configuration
- Implement IP-based rate limiting using HAProxy stick tables to throttle suspicious sources
# HAProxy configuration hardening example
# Add to global section to limit buffer size
global
tune.bufsize 16384
# Add to frontend/defaults to enforce request timeouts
defaults
timeout http-request 10s
timeout connect 5s
timeout client 30s
timeout server 30s
# Rate limiting using stick table
frontend http_in
bind *:80
stick-table type ip size 100k expire 30s store http_req_rate(10s)
http-request track-sc0 src
http-request deny deny_status 429 if { sc_http_req_rate(0) gt 100 }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
