Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-11230

CVE-2025-11230: HAProxy Aloha Appliance DoS Vulnerability

CVE-2025-11230 is a denial of service vulnerability in HAProxy Aloha Appliance caused by inefficient algorithm complexity in mjson. Attackers can exploit this with crafted JSON requests. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2025-11230 Overview

CVE-2025-11230 is an algorithmic complexity vulnerability in the mjson library used by HAProxy that allows remote attackers to cause a denial of service through specially crafted JSON requests. The vulnerability stems from inefficient algorithm complexity (CWE-407) in the JSON parsing component, which can be exploited by sending malicious JSON payloads that trigger excessive computational resource consumption.

HAProxy is a widely deployed high-availability load balancer and proxy server that handles critical traffic for enterprise applications. This vulnerability affects multiple HAProxy product lines including the open-source HAProxy, HAProxy Enterprise, HAProxy ALOHA Appliance, and the Kubernetes Ingress Controller, making it a significant concern for organizations relying on HAProxy for their infrastructure.

Critical Impact

Remote attackers can cause service disruption by sending specially crafted JSON requests that exploit inefficient parsing algorithms, potentially taking down load balancing infrastructure and affecting backend service availability.

Affected Products

  • HAProxy (multiple versions)
  • HAProxy Enterprise (versions 2.4r1, 2.6r1, 2.8r1, 3.0r1, 3.1r1)
  • HAProxy ALOHA Appliance
  • HAProxy Kubernetes Ingress Controller (Community and Enterprise editions)

Discovery Timeline

  • 2025-11-19 - CVE-2025-11230 published to NVD
  • 2025-12-19 - Last updated in NVD database

Technical Details for CVE-2025-11230

Vulnerability Analysis

The vulnerability exists in HAProxy's mjson library, a lightweight JSON parsing component. When processing JSON input, the mjson parser employs an algorithm with suboptimal time complexity that becomes problematic when handling specially crafted input. An attacker can construct malicious JSON payloads designed to maximize parsing time, consuming excessive CPU cycles on the HAProxy server.

This type of algorithmic complexity attack (CWE-407) differs from traditional resource exhaustion attacks in that it doesn't require large volumes of traffic. Instead, a relatively small number of carefully crafted requests can monopolize server resources. The vulnerability is particularly concerning given HAProxy's role as a front-line component handling incoming traffic before it reaches backend services.

Since HAProxy operates at the network edge and must parse JSON in certain configurations (such as when performing content-based routing or health checks), the attack surface is directly exposed to remote, unauthenticated attackers.

Root Cause

The root cause is inefficient algorithm complexity in the mjson JSON parsing library. Certain JSON structures cause the parsing algorithm to exhibit worst-case time complexity behavior, where parsing time increases disproportionately relative to input size. This allows attackers to craft compact payloads that require extensive processing time, effectively creating an asymmetric attack where minimal attacker resources cause maximal server impact.

Attack Vector

The attack is network-based and requires no authentication or user interaction. An attacker sends HTTP requests containing specially crafted JSON payloads to HAProxy endpoints that perform JSON parsing. The malicious JSON structures are designed to trigger worst-case algorithmic behavior in the mjson library, causing the HAProxy process to spend excessive CPU time parsing the request.

The attack can be launched remotely against any HAProxy instance that processes JSON content, including:

  • HAProxy configurations using JSON-based content switching rules
  • HAProxy Data Plane API endpoints
  • Health check endpoints parsing JSON responses
  • Any custom Lua scripts that invoke JSON parsing

The availability impact is high as successful exploitation can render the HAProxy instance unresponsive, disrupting traffic to all backend services.

Detection Methods for CVE-2025-11230

Indicators of Compromise

  • Unusual spike in CPU utilization on HAProxy servers without corresponding increase in legitimate traffic
  • Elevated request processing times for JSON-containing requests
  • HAProxy process becoming unresponsive or timing out
  • Increased queue depth and connection backlog in HAProxy statistics
  • Repeated requests with unusually complex or deeply nested JSON structures from single sources

Detection Strategies

  • Monitor HAProxy process CPU usage and alert on sustained high utilization
  • Implement request timeout thresholds and log requests exceeding normal parsing duration
  • Configure HAProxy logging to capture request body sizes and processing times for analysis
  • Deploy network-level monitoring to detect anomalous JSON payload patterns
  • Utilize SentinelOne's Singularity platform to monitor for abnormal process behavior indicative of DoS attacks

Monitoring Recommendations

  • Enable detailed HAProxy logging including request processing timestamps
  • Configure alerting for HAProxy health check failures or service degradation
  • Monitor connection queue metrics via the HAProxy stats interface
  • Implement application-level health checks that validate response time latency
  • Review access logs for patterns of repeated complex JSON requests from suspicious sources

How to Mitigate CVE-2025-11230

Immediate Actions Required

  • Update HAProxy to the latest patched version addressing CVE-2025-11230
  • Review HAProxy configuration to identify components that perform JSON parsing
  • Implement rate limiting on endpoints that accept JSON input
  • Configure maximum request body size limits to constrain JSON payload sizes
  • Consider temporarily disabling non-essential JSON processing features until patches are applied

Patch Information

HAProxy has released security updates addressing this vulnerability. Organizations should consult the HAProxy Blog CVE-2025-11230 Analysis for detailed patch information and affected version lists. Updates are available for:

  • HAProxy open-source versions
  • HAProxy Enterprise versions (2.4r1, 2.6r1, 2.8r1, 3.0r1, 3.1r1 branches)
  • HAProxy ALOHA Appliance
  • HAProxy Kubernetes Ingress Controller (Community and Enterprise)

It is critical to update all HAProxy deployments, including Kubernetes ingress controllers and appliance-based installations.

Workarounds

  • Implement request body size limits via tune.bufsize to constrain maximum JSON payload size
  • Deploy a Web Application Firewall (WAF) in front of HAProxy to filter malicious JSON patterns
  • Configure aggressive connection timeouts using timeout http-request to limit parsing duration
  • Disable JSON parsing features if not required by your configuration
  • Implement IP-based rate limiting using HAProxy stick tables to throttle suspicious sources
bash
# HAProxy configuration hardening example
# Add to global section to limit buffer size
global
    tune.bufsize 16384
    
# Add to frontend/defaults to enforce request timeouts
defaults
    timeout http-request 10s
    timeout connect 5s
    timeout client 30s
    timeout server 30s

# Rate limiting using stick table
frontend http_in
    bind *:80
    stick-table type ip size 100k expire 30s store http_req_rate(10s)
    http-request track-sc0 src
    http-request deny deny_status 429 if { sc_http_req_rate(0) gt 100 }

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.