HAProxy

Querying HAProxy

curl "https://api.attestd.io/v1/check?product=haproxy&version=2.4.0" \
  -H "Authorization: Bearer $ATTESTD_KEY"

HAProxy 2.4.0 is affected by CVE-2021-40346 (integer overflow in htx_add_header allowing request smuggling). The aggregated response expects risk_state: "high".

{
  "product": "haproxy",
  "version": "2.4.0",
  "supported": true,
  "risk_state": "high",
  "risk_factors": [
    "request_smuggling",
    "internet_exposed_service",
    "no_authentication_required",
    "patch_available"
  ],
  "actively_exploited": false,
  "remote_exploitable": true,
  "authentication_required": false,
  "patch_available": true,
  "fixed_version": "2.4.5",
  "confidence": 0.82,
  "cve_ids": ["CVE-2021-40346"],
  "last_updated": "2026-02-23T18:21:30Z"
}

HAProxy 2.9.4 has no known relevant vulnerabilities at the time of the last synthesis run.

curl "https://api.attestd.io/v1/check?product=haproxy&version=2.9.4" \
  -H "Authorization: Bearer $ATTESTD_KEY"

CVE history

HAProxy vulnerabilities cluster around two subsystems: the HTTP header parser (request smuggling via malformed Transfer-Encoding or Content-Length) and the HTTP/2 HPACK decoder (heap overflows via crafted frame sequences). The HAProxy team's CNA status means CVEs are typically published with complete version range data.