{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-32464", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2025-04-23T22:03:08.605Z", "dateReserved": "2025-04-09T00:00:00.000Z", "datePublished": "2025-04-09T00:00:00.000Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "product": "HAProxy", "vendor": "HAProxy", "versions": [{"lessThanOrEqual": "3.1.6", "status": "affected", "version": "2.2", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "HAProxy 2.2 through 3.1.6, in certain uncommon configurations, has a sample_conv_regsub heap-based buffer overflow because of mishandling of the replacement of multiple short patterns with a longer one."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1025", "description": "CWE-1025 Comparison Using Wrong Factors", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-04-09T02:29:55.512Z"}, "references": [{"url": "https://github.com/haproxy/haproxy/commit/3e3b9eebf871510aee36c3a3336faac2f38c9559"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H"}}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:haproxy:haproxy:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.2", "versionEndIncluding": "3.1.6"}]}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-09T19:23:34.951884Z", "id": "CVE-2025-32464", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-09T19:24:10.305Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00031.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-04-23T22:03:08.605Z"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00031.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-04-23T22:03:08.605Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-32464", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-09T19:23:34.951884Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-09T19:24:05.552Z"}}], "cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H"}}], "affected": [{"vendor": "HAProxy", "product": "HAProxy", "versions": [{"status": "affected", "version": "2.2", "versionType": "custom", "lessThanOrEqual": "3.1.6"}], "defaultStatus": "unknown"}], "references": [{"url": "https://github.com/haproxy/haproxy/commit/3e3b9eebf871510aee36c3a3336faac2f38c9559"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "descriptions": [{"lang": "en", "value": "HAProxy 2.2 through 3.1.6, in certain uncommon configurations, has a sample_conv_regsub heap-based buffer overflow because of mishandling of the replacement of multiple short patterns with a longer one."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1025", "description": "CWE-1025 Comparison Using Wrong Factors"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:haproxy:haproxy:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "3.1.6", "versionStartIncluding": "2.2"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-04-09T02:29:55.512Z"}}}, "cveMetadata": {"cveId": "CVE-2025-32464", "state": "PUBLISHED", "dateUpdated": "2025-04-23T22:03:08.605Z", "dateReserved": "2025-04-09T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2025-04-09T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "HAProxy 2.2 through 3.1.6, in certain uncommon configurations, has a sample_conv_regsub heap-based buffer overflow because of mishandling of the replacement of multiple short patterns with a longer one."}, {"lang": "es", "value": "HAProxy 2.2 a 3.1.6, en ciertas configuraciones poco comunes, tiene un desbordamiento de b\u00fafer basado en el mont\u00f3n sample_conv_regsub debido a la gesti\u00f3n incorrecta del reemplazo de m\u00faltiples patrones cortos por uno m\u00e1s largo."}], "id": "CVE-2025-32464", "lastModified": "2025-04-23T22:15:15.460", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 4.0, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2025-04-09T03:15:16.847", "references": [{"source": "cve@mitre.org", "url": "https://github.com/haproxy/haproxy/commit/3e3b9eebf871510aee36c3a3336faac2f38c9559"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00031.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1025"}], "source": "cve@mitre.org", "type": "Secondary"}]}

{"bugzilla": {"description": "haproxy: Buffer Overflow via Improper Back-Reference Replacement Length Check", "id": "2358543", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2358543"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-1025", "details": ["HAProxy 2.2 through 3.1.6, in certain uncommon configurations, has a sample_conv_regsub heap-based buffer overflow because of mishandling of the replacement of multiple short patterns with a longer one.", "A flaw was found in the HAProxy. This issue can allow a buffer overflow via improper length checking when replacing multiple regex back-references in a string. Specifically, the replacement size is incorrectly validated against the output buffer instead of the temporary trash buffer used during substitution. If multiple matches are replaced with strings larger than the available buffer size, this can lead to a memory overwrite."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-32464", "package_state": [{"cpe": "cpe:/a:redhat:ceph_storage:5", "fix_state": "Fix deferred", "package_name": "haproxy", "product_name": "Red Hat Ceph Storage 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "haproxy", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "haproxy", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "haproxy", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "haproxy", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "haproxy", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2025-04-09T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-32464\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-32464\nhttps://github.com/haproxy/haproxy/commit/3e3b9eebf871510aee36c3a3336faac2f38c9559"], "statement": "Within regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-1025: Comparison Using Wrong Factors vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\nAccess is enforced through hard token-based multi-factor authentication (MFA) and is governed by least privilege, preventing manipulation of comparison logic to bypass authorization. Input validation ensures that comparison values, such as user IDs, tokens, and session data, conform to expected formats, reducing the risk of unauthorized access from malformed input. Error-handling routines prevent exposure of internal logic, and systems are designed to fail in a known state to avoid unpredictable behavior. Session authenticity is preserved through strong identity-to-session binding, minimizing logic errors in authentication flows. Additionally, runtime monitoring detects anomalous access and comparison failures, enabling rapid response.", "threat_severity": "Moderate"}

{"created": "2025-07-12T15:42:50.142780+00:00", "updated": "2025-07-12T16:01:46.534551+00:00", "vendors": ["haproxy", "haproxy$PRODUCT$haproxy"]}