CVE-2025-11230
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
19/11/2025
Last modified:
19/12/2025
Description
Inefficient algorithm complexity in mjson in HAProxy allows remote attackers to cause a denial of service via specially crafted JSON requests.
Impact
Base Score 3.x
7.50
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:haproxy:aloha_appliance:*:*:*:*:*:*:*:* | 14.5.0 (including) | 14.5.33 (excluding) |
| cpe:2.3:a:haproxy:aloha_appliance:*:*:*:*:*:*:*:* | 15.5.0 (including) | 15.5.28 (excluding) |
| cpe:2.3:a:haproxy:aloha_appliance:*:*:*:*:*:*:*:* | 16.5.0 (including) | 16.5.19 (excluding) |
| cpe:2.3:a:haproxy:aloha_appliance:*:*:*:*:*:*:*:* | 17.0.0 (including) | 17.0.7 (excluding) |
| cpe:2.3:a:haproxy:haproxy:*:*:*:*:*:*:*:* | 2.4.0 (including) | 2.4.30 (excluding) |
| cpe:2.3:a:haproxy:haproxy:*:*:*:*:*:*:*:* | 2.6.0 (including) | 2.6.23 (excluding) |
| cpe:2.3:a:haproxy:haproxy:*:*:*:*:*:*:*:* | 2.8.0 (including) | 2.8.16 (excluding) |
| cpe:2.3:a:haproxy:haproxy:*:*:*:*:*:*:*:* | 3.0.0 (including) | 3.0.12 (excluding) |
| cpe:2.3:a:haproxy:haproxy:*:*:*:*:*:*:*:* | 3.1.0 (including) | 3.1.9 (excluding) |
| cpe:2.3:a:haproxy:haproxy:*:*:*:*:*:*:*:* | 3.2.0 (including) | 3.2.6 (excluding) |
| cpe:2.3:a:haproxy:haproxy_enterprise:2.4r1:1.0.0-253.271:*:*:*:*:*:* | ||
| cpe:2.3:a:haproxy:haproxy_enterprise:2.4r1:1.0.0-254.271:*:*:*:*:*:* | ||
| cpe:2.3:a:haproxy:haproxy_enterprise:2.4r1:1.0.0-259.342:*:*:*:*:*:* | ||
| cpe:2.3:a:haproxy:haproxy_enterprise:2.4r1:1.0.0-263.343:*:*:*:*:*:* | ||
| cpe:2.3:a:haproxy:haproxy_enterprise:2.4r1:1.0.0-264.356:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page