Impact
HAProxy versions up to 3.4.0 contain an integer overflow in the fcgi_conn structure’s drl field. When a FastCGI backend sends a content length of 65535 and a padding length of one or more, the drl value wraps to zero, which causes the framing parser to misread subsequent record headers. This can lead to request routing errors, response smuggling, or memory safety problems, and the weakness is a classic integer overflow (CWE‑190).
Affected Systems
The vulnerability affects the HAProxy software defined by the vendor haproxy:haproxy, specifically releases up to and including version 3.4.0. No newer releases are listed as affected.
Risk and Exploitability
The CVSS score of 9 indicates critical severity, and the EPSS score is not available. The flaw is not yet listed in the CISA KEV catalog. Exploitation requires a malicious FastCGI backend capable of crafting the specific payload that triggers the drl wrap; the attack vector is internal between HAProxy and its FastCGI backends, so it is not externally triggered but can be leveraged by compromised or malicious backend services.
OpenCVE Enrichment
Ubuntu USN