CVE-2023-40225: 
HAProxy vulnerability analysis and mitigation

HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. This vulnerability was discovered in August 2023 and assigned CVE-2023-40225 (CVE).

The vulnerability stems from HAProxy's content-length header parser, which stops comparing values when reaching the end of the header. This behavior allows empty values or values ending with a comma to pass through validation without proper analysis. The issue specifically affects the handling of empty Content-Length headers, which violates RFC 9110 section 8.6 requirements (HAPROXY_COMMIT).

In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request when receiving an empty Content-Length header. While most commonly used servers have safe content-length parsers, servers known to be vulnerable to this type of manipulation could be at risk (HAPROXY_ISSUE).

A configuration-based workaround consists of adding the following rule in the frontend to explicitly reject requests featuring an empty content-length header: 'http-request deny if { hdrlen(content-length) 0 }'. The permanent fix was implemented in HAProxy versions 2.6.15, 2.7.10, and 2.8.2, which now properly reject requests and responses having empty values in the Content-Length header ([HAPROXYCOMMIT](https://github.com/haproxy/haproxy/commit/6492f1f29d738457ea9f382aca54537f35f9d856)).