Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-32464

CVE-2025-32464: HAProxy Buffer Overflow Vulnerability

CVE-2025-32464 is a heap-based buffer overflow vulnerability in HAProxy versions 2.2 through 3.1.6 affecting certain configurations. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2025-32464 Overview

CVE-2025-32464 is a heap-based buffer overflow in HAProxy affecting versions 2.2 through 3.1.6. The flaw resides in the sample_conv_regsub function, which handles regular expression substitution. When certain uncommon configurations replace multiple short patterns with a longer replacement string, the function miscalculates the remaining buffer size and writes past the allocated heap region.

Exploitation requires HAProxy configurations that use regsub converters with specific pattern characteristics. Successful exploitation impacts service availability and could corrupt adjacent heap memory. The vulnerability is tracked under [CWE-1025] and was patched upstream in the HAProxy source tree.

Critical Impact

Remote attackers can trigger heap corruption in HAProxy load balancers running vulnerable configurations, leading to service disruption or memory integrity loss.

Affected Products

  • HAProxy 2.2.x through 2.9.x
  • HAProxy 3.0.x
  • HAProxy 3.1.0 through 3.1.6

Discovery Timeline

  • 2025-04-09 - CVE-2025-32464 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-32464

Vulnerability Analysis

The vulnerability affects the sample_conv_regsub sample converter in HAProxy's src/sample.c source file. This converter performs regex-based find-and-replace operations on sample values, commonly used for header rewriting and URL manipulation.

The root defect involves incorrect boundary tracking when the replacement string is longer than the matched pattern. When HAProxy processes multiple back-references and iteratively replaces short patterns with longer content, the code miscomputes the remaining writable space. The max value is calculated against the wrong buffer's size, allowing writes beyond the allocated heap chunk.

This condition is classified as [CWE-1025] (Comparison Using Wrong Factors). The overflow corrupts adjacent heap memory and can crash the HAProxy worker process, impacting availability for all clients served by that instance.

Root Cause

The root cause is a size-comparison error where the function computed remaining capacity against output->size - output->data instead of trash->size - trash->data. Since trash is the actual destination buffer during multi-pattern replacement, this mismatch permits writes past the trash buffer boundary when replacement expansion accumulates.

Attack Vector

Attack requires a HAProxy deployment configured with regsub converters processing attacker-influenced input. An attacker sends crafted HTTP requests whose content triggers the vulnerable substitution path. Network reachability to the HAProxy front end is sufficient, though the configuration prerequisites raise attack complexity.

c
		output->data = exp_replace(output->area, output->size, start, arg_p[1].data.str.area, pmatch);
 
 		/* replace the matching part */
-		max = output->size - output->data;
+		max = trash->size - trash->data;
 		if (max) {
 			if (max > output->data)
 				max = output->data;
// Source: https://github.com/haproxy/haproxy/commit/3e3b9eebf871510aee36c3a3336faac2f38c9559

The patch replaces the incorrect buffer reference, ensuring the boundary check reflects the real destination buffer used across successive replacements.

Detection Methods for CVE-2025-32464

Indicators of Compromise

  • Unexpected HAProxy worker process crashes with SIGSEGV or SIGABRT in system logs
  • HAProxy stderr entries referencing memory corruption, malloc_consolidate, or double-free warnings
  • Sudden spikes in HAProxy restarts or dropped connections coinciding with unusual request patterns
  • HTTP requests containing malformed headers or URIs designed to trigger regsub expansion

Detection Strategies

  • Inventory HAProxy configuration files for regsub converter usage, particularly with dynamic patterns
  • Run haproxy -v across load balancer fleet to identify instances between 2.2 and 3.1.6
  • Monitor process exit codes and core dump generation on HAProxy hosts for anomalous termination
  • Correlate HAProxy crash timestamps with upstream request logs to identify triggering payloads

Monitoring Recommendations

  • Enable core dump collection on HAProxy hosts for post-crash forensic analysis
  • Forward HAProxy syslog output to centralized logging with alerts on worker process restarts
  • Deploy runtime memory protection such as glibc MALLOC_CHECK_ or hardened allocators on load balancer hosts
  • Track HTTP 502 and 503 error rate anomalies that may indicate exploitation attempts

How to Mitigate CVE-2025-32464

Immediate Actions Required

  • Upgrade HAProxy to a patched release beyond 3.1.6 that includes commit 3e3b9eeb
  • Audit all HAProxy configuration files for regsub converter usage and evaluate exposure
  • Apply the upstream patch to source builds if binary upgrades are not immediately feasible
  • Distribution users should apply vendor updates such as the Debian LTS advisory

Patch Information

The upstream fix corrects the buffer size calculation in sample_conv_regsub within src/sample.c. The commit 3e3b9eebf871510aee36c3a3336faac2f38c9559 changes the max boundary computation to reference the trash buffer used across replacement iterations. Distribution maintainers including Debian LTS have backported the fix to supported HAProxy branches.

Workarounds

  • Remove or disable regsub converters from HAProxy configurations until patching is complete
  • Restrict regsub usage to fixed patterns not influenced by client-controlled input
  • Deploy an upstream web application firewall to filter requests targeting rewrite rules
  • Segment HAProxy instances behind network controls that limit exposure to untrusted networks
bash
# Verify HAProxy version and check for vulnerable regsub usage
haproxy -v
grep -rn 'regsub' /etc/haproxy/

# Debian/Ubuntu upgrade
sudo apt-get update && sudo apt-get install --only-upgrade haproxy

# Restart service after patching
sudo systemctl restart haproxy
sudo systemctl status haproxy

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.