Primary

Context

HAProxy HTTP/3 Content-Length Validation Vulnerability Allowing Request Smuggling

Vulnerability

A vulnerability exists in HAProxy versions prior to 3.3.6, including 2.6, within the HTTP/3 parser. The issue arises because the parser fails to verify that the received body length aligns with a previously declared content-length when the stream is terminated with a frame containing an empty payload. This oversight can lead to desynchronization with the backend server, potentially facilitating request smuggling exploits.

Impact

Exploitation of this vulnerability could cause desynchronization with the backend server, allowing for request smuggling attacks.

Remediation

Users can upgrade to HAProxy version 3.3.6 or later, or to version 2.6.25, which includes the necessary fix. Instructions for downloading these versions are available on the HAProxy website.

Added: Apr 13, 2026, 6:58 PM

Updated: Apr 13, 2026, 6:58 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.4

exploitability

7.5

remediation

0.0

relevance

5.8

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.4

exploitability

7.5

remediation

0.0

relevance

5.8

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

HAProxy HTTP/3 Content-Length Validation Vulnerability Allowing Request Smuggling

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating