{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11230", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "state": "PUBLISHED", "assignerShortName": "canonical", "dateReserved": "2025-10-01T13:10:26.249Z", "datePublished": "2025-11-19T09:28:39.750Z", "dateUpdated": "2025-11-19T17:09:15.642Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "HAProxy Community Edition", "programFiles": ["src/mjson.c"], "repo": "https://git.haproxy.org/", "vendor": "HAProxy Technologies", "versions": [{"lessThan": "2.4.30", "status": "affected", "version": "2.4.0", "versionType": "semver"}, {"lessThan": "2.6.23", "status": "affected", "version": "2.6.0", "versionType": "semver"}, {"lessThan": "2.8.16", "status": "affected", "version": "2.8.0", "versionType": "semver"}, {"lessThan": "3.0.12", "status": "affected", "version": "3.0.0", "versionType": "semver"}, {"lessThan": "3.1.9", "status": "affected", "version": "3.1.0", "versionType": "semver"}, {"lessThan": "3.2.6", "status": "affected", "version": "3.2.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Inefficient algorithm complexity in mjson in HAProxy allows remote attackers to cause a denial of service via specially crafted JSON requests."}], "value": "Inefficient algorithm complexity in mjson in HAProxy allows remote attackers to cause a denial of service via specially crafted JSON requests."}], "impacts": [{"capecId": "CAPEC-130", "descriptions": [{"lang": "en", "value": "CAPEC-130 Excessive Allocation"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-407", "description": "CWE-407 Inefficient Algorithmic Complexity", "lang": "en", "type": "CWE"}]}], "references": [{"url": "https://www.haproxy.com/blog/october-2025-cve-2025-11230-haproxy-mjson-library-denial-of-service-vulnerability"}], "source": {"discovery": "UNKNOWN"}, "title": "Denial of service vulnerability in HAProxy mjson library", "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2025-11-19T09:28:39.750Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-19T17:06:27.675545Z", "id": "CVE-2025-11230", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-19T17:09:15.642Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11230", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-19T17:06:27.675545Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-19T17:09:02.607Z"}}], "cna": {"title": "Denial of service vulnerability in HAProxy mjson library", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-130", "descriptions": [{"lang": "en", "value": "CAPEC-130 Excessive Allocation"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://git.haproxy.org/", "vendor": "HAProxy Technologies", "product": "HAProxy Community Edition", "versions": [{"status": "affected", "version": "2.4.0", "lessThan": "2.4.30", "versionType": "semver"}, {"status": "affected", "version": "2.6.0", "lessThan": "2.6.23", "versionType": "semver"}, {"status": "affected", "version": "2.8.0", "lessThan": "2.8.16", "versionType": "semver"}, {"status": "affected", "version": "3.0.0", "lessThan": "3.0.12", "versionType": "semver"}, {"status": "affected", "version": "3.1.0", "lessThan": "3.1.9", "versionType": "semver"}, {"status": "affected", "version": "3.2.0", "lessThan": "3.2.6", "versionType": "semver"}], "programFiles": ["src/mjson.c"], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.haproxy.com/blog/october-2025-cve-2025-11230-haproxy-mjson-library-denial-of-service-vulnerability"}], "descriptions": [{"lang": "en", "value": "Inefficient algorithm complexity in mjson in HAProxy allows remote attackers to cause a denial of service via specially crafted JSON requests.", "supportingMedia": [{"type": "text/html", "value": "Inefficient algorithm complexity in mjson in HAProxy allows remote attackers to cause a denial of service via specially crafted JSON requests.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-407", "description": "CWE-407 Inefficient Algorithmic Complexity"}]}], "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2025-11-19T09:28:39.750Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11230", "state": "PUBLISHED", "dateUpdated": "2025-11-19T17:09:15.642Z", "dateReserved": "2025-10-01T13:10:26.249Z", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "datePublished": "2025-11-19T09:28:39.750Z", "assignerShortName": "canonical"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Inefficient algorithm complexity in mjson in HAProxy allows remote attackers to cause a denial of service via specially crafted JSON requests."}], "id": "CVE-2025-11230", "lastModified": "2025-11-19T19:14:59.327", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "[email protected]", "type": "Secondary"}]}, "published": "2025-11-19T10:15:45.020", "references": [{"source": "[email protected]", "url": "https://www.haproxy.com/blog/october-2025-cve-2025-11230-haproxy-mjson-library-denial-of-service-vulnerability"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-407"}], "source": "[email protected]", "type": "Secondary"}]}

{"bugzilla": {"description": "haproxy: denial of service vulnerability in HAProxy mjson library", "id": "2413003", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2413003"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-407", "details": ["A flaw was found in haproxy. A stemming from an inefficient algorithmic complexity issue within its bundled mjson parsing library. This vulnerability is triggered when haproxy is configured to analyze JSON content, such as with the json_query or jwt_payload_query function"], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-11230", "package_state": [{"cpe": "cpe:/a:redhat:ceph_storage:5", "fix_state": "Affected", "package_name": "haproxy", "product_name": "Red Hat Ceph Storage 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "haproxy", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "haproxy", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "haproxy", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "haproxy", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "haproxy", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2025-10-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-11230\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-11230"], "threat_severity": "Important"}