Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-1117

NIXPKGS-2026-1117
published on
Permalink CVE-2026-33555
4.0 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
updated 18 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 1 day, 22 hours ago
  • @LeSuisse ignored
    2 references
    1 day, 14 hours ago
  • @LeSuisse ignored
    2 packages
    • prometheus-haproxy-exporter
    • haskellPackages.io-streams-haproxy
    1 day, 14 hours ago
  • @LeSuisse accepted 18 hours ago
  • @LeSuisse published on GitHub 18 hours ago
An issue was discovered in HAProxy before 3.3.6. The HTTP/3 …

An issue was discovered in HAProxy before 3.3.6. The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame with an empty payload. This can cause desynchronization issues with the backend server and could be used for request smuggling. The earliest affected version is 2.6.

Affected products

HAProxy
  • <3.3.6

Matching in nixpkgs

pkgs.haproxy

Reliable, high performance TCP/HTTP load balancer

Ignored packages (2)

Package maintainers

Fix for 3.2.x in 3.2.15

https://git.haproxy.org/?p=haproxy-3.2.git;a=commit;h=7ab4ae974c434e62896b3c68b7b485b9dceb7a25