HAProxy mjson Library Under Attack: CVE-2025-11230 Exposes Denial-of-Service Risk

Overview

A high-severity denial-of-service (DoS) vulnerability, identified as CVE-2025-11230, has been discovered in the mjson library used by HAProxy. This flaw allows remote attackers to trigger a DoS condition by sending specially crafted JSON requests to a vulnerable HAProxy instance. The vulnerability arises from inefficient algorithm complexity within the mjson library, leading to excessive resource consumption when processing malicious JSON data.

Technical Details

The core of the vulnerability lies in how the mjson library parses and processes complex JSON structures. Specifically, a specially crafted JSON request with deeply nested or highly redundant elements can cause the parsing algorithm to exhibit exponential time complexity. This leads to a rapid consumption of CPU resources, effectively starving the HAProxy instance and preventing it from serving legitimate traffic.

Attackers can exploit this vulnerability without requiring authentication, making it a significant threat to publicly accessible HAProxy deployments.

CVSS Analysis

The vulnerability has been assigned a CVSS score of 7.5, indicating a HIGH severity. This score reflects the following characteristics:

• Attack Vector (AV): Network (N) – The vulnerability can be exploited remotely over the network.
• Attack Complexity (AC): Low (L) – Exploitation requires minimal effort from the attacker.
• Privileges Required (PR): None (N) – No authentication is required to exploit the vulnerability.
• User Interaction (UI): None (N) – No user interaction is required.
• Scope (S): Unchanged (U) – The vulnerability affects the HAProxy instance itself.
• Confidentiality Impact (C): None (N) – The vulnerability does not compromise the confidentiality of data.
• Integrity Impact (I): None (N) – The vulnerability does not compromise the integrity of data.
• Availability Impact (A): High (H) – The vulnerability can lead to a complete denial of service.

Possible Impact

A successful exploit of CVE-2025-11230 can have significant consequences:

• Service Disruption: HAProxy instances become unavailable, impacting critical applications and services that rely on them.
• Financial Loss: Downtime can lead to financial losses due to lost transactions, reduced productivity, and reputational damage.
• Reputational Damage: Service outages can erode customer trust and damage the organization’s reputation.

Mitigation and Patch Steps

The recommended mitigation is to upgrade to a patched version of HAProxy that includes a fix for the mjson library. Follow these steps:

1. Identify Vulnerable Instances: Determine all HAProxy instances in your environment that are using the vulnerable mjson library.
2. Apply the Patch: Upgrade to the latest stable version of HAProxy. Consult the official HAProxy documentation for detailed upgrade instructions. This usually involves updating your package manager and reinstalling HAProxy.
3. Verify the Fix: After applying the patch, thoroughly test the HAProxy instance to ensure that the vulnerability has been addressed. Consider using penetration testing tools to simulate malicious JSON requests.
4. Implement Rate Limiting: As an additional layer of protection, implement rate limiting on incoming JSON requests to prevent attackers from overwhelming the HAProxy instance.
5. Monitor for Suspicious Activity: Continuously monitor HAProxy logs for any signs of suspicious JSON requests or excessive resource consumption.

References

• CVE-2025-11230: Fake CVE Link – Replace with a valid link to a CVE database
• HAProxy Blog Post: https://www.haproxy.com/blog/october-2025-cve-2025-11230-haproxy-mjson-library-denial-of-service-vulnerability