HAProxy, an open source load balancer and reverse proxy, has patched a vulnerability that could allow attackers to stage HTTP request smuggling attacks by sending a maliciously crafted HTTP request that bypasses the filters of HAProxy and gains unauthorized access to back-end servers.
The vulnerability, which had existed since version 2.0 of HAProxy released in June 2019, was reported by a group of researchers at Northeastern University, Akamai Technologies, and Google who were running tests. The maintainer of HAProxy, Willy Tarreau, has provided a temporary config-based workaround for those who are not able to immediately upgrade to the latest version.
