Hi, HAProxy 3.0.12 was released on 2025/10/03. It added 132 new commits after version 3.0.11.
It is not the usual announce message describing all bugs fixed by this release. Here, only the critical fixes about the mjson JSON decoder will be described. The formal announce message will come quickly after that, by replying to this mail, most probably next Monday. So, as said, an issue in the mjson JSON decoder causes number with large exponents to eat a lot of CPU and possibly even to trigger the watchdog and kill the process. It affects converters "json_query()", "jwt_header_query()", and "jwt_payload_query()". There's no work around for this because the issue is at a really low level in the decoder, so one cannot really count on a reasonable regex or such a thing to fix this. This bug was assigned CVE-2025-11230 and affects all versions featuring the JSON decoder, or 2.4 and above. Only an update will fix this. We'd like to thank Oula Kivalo for reporting the issue with a reproducer. As a note, we were notified that CVE-2023-30421 had already been assigned to the mjson library two years ago about the same issue but no fix had been issued and it was not mentioned in the project (though an issue about this was reported). If you rely on one of the converters above, you must definitely upgrade. Otherwise, stay tune for the official announce message to have more info about this release. Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Q&A from devs : https://github.com/orgs/haproxy/discussions Sources : https://www.haproxy.org/download/3.0/src/ Git repository : https://git.haproxy.org/git/haproxy-3.0.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy-3.0.git Changelog : https://www.haproxy.org/download/3.0/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages --- Complete changelog : Alexander Stephan (6): BUG/MINOR: halog: Add OOM checks for calloc() in filter_count_srv_status() and filter_count_url() BUG/MINOR: log: Add OOM checks for calloc() and malloc() in logformat parser and dup_logger() BUG/MINOR: acl: Add OOM check for calloc() in smp_fetch_acl_parse() BUG/MINOR: cfgparse: Add OOM check for calloc() in cfg_parse_listen() BUG/MINOR: compression: Add OOM check for calloc() in parse_compression_options() BUG/MINOR: tools: Add OOM check for malloc() in indent_msg() Amaury Denoyelle (23): BUG/MINOR: mux-quic: do not decode if conn in error MINOR: quic: rename min/max fields for congestion window algo BUG/MINOR: quic: ensure cwnd limits are always enforced BUG/MINOR: config/server: reject QUIC addresses BUG/MINOR: mux-quic/h3: properly handle too low peer fctl initial stream DOC: list missing global QUIC settings BUG/MINOR: mux-h1: fix wrong lock label BUG/MINOR: quic: do not emit probe data if CONNECTION_CLOSE requested BUG/MAJOR: quic: fix INITIAL padding with probing packet only MINOR: quic: centralize padding for HP sampling on packet building BUG/MINOR: connection: rearrange union list members BUG/MINOR: connection: remove extra session_unown_conn() on reverse BUG/MINOR: server: decrement session idle_conns on del server MINOR: doc: add missing statistics column MINOR: doc: add missing statistics column BUG/MAJOR: mux-quic: fix crash on reload during emission BUG/MINOR: quic: fix room check if padding requested BUG/MINOR: quic: fix padding issue on INITIAL retransmit BUG/MEDIUM: conn: fix UAF on connection after reversal on edge BUG/MINOR: connection: streamline conn detach from lists CLEANUP: quic: fix typo in quic_tx trace OPTIM: check: do not delay MUX for ALPN if SSL not active BUG/MEDIUM: checks: fix ALPN inheritance from server Aurelien DARRAGON (5): BUG/MINOR: hlua_fcn: restore server pairs iterator pointer consistency BUG/MEDIUM: hlua_fcn: ensure systematic watcher cleanup for server list iterator BUG/MEDIUM: logs: fix sess_build_logline_orig() recursion with options BUG/MINOR: hlua: take default-path into account with lua-load-per-thread BUG/MINOR: log: fix potential memory leak upon error in add_to_logformat_list() Christopher Faulet (35): DOC: config: Fix a typo in 2.7 (Name format for maps and ACLs) BUG/MEDIUM: check: Requeue healthchecks on I/O events to handle check timeout BUG/MINIR: h1: Fix doc of 'accept-unsafe-...-request' about URI parsing BUG/MEDIUM: cli: Don't consume data if outbuf is full or not available MINOR: cli: handle EOS/ERROR first BUG/MEDIUM: check: Set SOCKERR by default when a connection error is reported BUG/MINOR: stream: Avoid recursive evaluation for unique-id based on itself BUG/MINOR: log: Be able to use %ID alias at anytime of the stream's evaluation BUG/MEDIUM: hlua: Forbid any L6/L7 sample fetche functions from lua services BUG/MEDIUM: mux-h2: Properly handle connection error during preface sending BUG/MINOR: hlua: Skip headers when a receive is performed on an HTTP applet BUG/MEDIUM: hlua: Report to SC when data were consumed on a lua socket BUG/MEDIUM: hlua: Report to SC when output data are blocked on a lua socket BUG/MEDIUM: dns: Reset reconnect tempo when connection is finally established BUG/MEDIUM: http-client: Don't wake http-client applet if nothing was xferred BUG/MEDIUM: http-client: Properly inc input data when HTX blocks are xferred BUG/MEDIUM: http-client: Ask for more room when request data cannot be xferred BUG/MINOR: http-client: Ignore 1XX interim responses in non-HTX mode BUG/MINOR: http-client: Reject any 101-switching-protocols response BUG/MEDIUM: http-client: Drain the request if an early response is received BUG/MEDIUM: http-client: Notify applet has more data to deliver until the EOM BUG/MINOR: applet: Don't trigger BUG_ON if the tid is not on appctx init BUG/MEDIUM: http-client: Test HTX_FL_EOM flag before commiting the HTX buffer BUG/MEDIUM: stconn: Fix conditions to know an applet can get data from stream BUG/MEDIUM: Remove sync sends from streams to applets REG-TESTS: map_redirect: Don't use hdr_dom in ACLs with "-m end" matching method BUG/MEDIUM: server: Duplicate healthcheck's alpn inherited from default server BUG/MAJOR: stream: Remove READ/WRITE events on channels after analysers eval BUG/MAJOR: stream: Force channel analysis on successful synchronous send MINOR: server: Parse sni and pool-conn-name expressions in a dedicated function BUG/MEDIUM: server: Use sni as pool connection name for SSL server only BUG/MINOR: server: Update healthcheck when server settings are changed via CLI BUG/MINOR: pattern: Properly flag virtual maps as using samples BUG/MINOR: pattern: Fix pattern lookup for map with opt@ prefix Revert "MINOR: quic: Useless TX buffer size reduction in closing state" David Carlier (2): BUILD/MEDIUM: deviceatlas: fix when installed in custom locations. DOC: deviceatlas build clarifications Frederic Lecaille (11): BUG/MINOR: quic: Missing SSL session object freeing BUG/MINOR: quic: wrong QUIC_FT_CONNECTION_CLOSE(0x1c) frame encoding MINOR: quic: Useless TX buffer size reduction in closing state BUG/MINOR: quic: Wrong source address use on FreeBSD BUG/MINOR: quic: reorder fragmented RX CRYPTO frames by their offsets MINOR: quic: remove ->offset qf_crypto struct field BUG/MINOR: mux-quic: trace with non initialized qcc CLEANUP: quic: remove a useless CRYPTO frame variable assignment BUG/MEDIUM: quic: CRYPTO frame freeing without eb_delete() BUG/MINOR: quic: ignore AGAIN ncbuf err when parsing CRYPTO frames MINOR: quic: Add more information about RX packets Lukas Tribus (2): DOC: management: fix typo in commit f4f93c56 DOC: config: recommend single quoting passwords Olivier Houchard (7): BUG/MEDIUM: fd: Use the provided tgid in fd_insert() to get tgroup_info BUG/MEDIUM: threads: Disable the workaround to load libgcc_s on macOS BUG/MEDIUM: ssl: Fix 0rtt to the server BUG/MEDIUM: ssl: fix build with AWS-LC BUG/MEDIUM: h1: Allow reception if we have early data BUG/MEDIUM: ssl: create the mux immediately on early data BUG/MEDIUM: stick-tables: Don't let table_process_entry() handle refcnt Remi Tricot-Le Breton (4): BUG/MINOR: jwt: Copy input and parameters in dedicated buffers in jwt_verify converter DOC: Fix 'jwt_verify' converter doc BUG/MINOR: init: Initialize random seed earlier in the init process BUG/MINOR: ocsp: Crash when updating CA during ocsp updates Valentine Krasnobaeva (6): MINOR: compiler: add __nonstring macro DOC: config: prefer-last-server: add notes for non-deterministic algorithms BUG/MINOR: halog: exit with error when some output filters are set simultaneosly BUG/MINOR: stick-table: cap sticky counter idx with tune.nb_stk_ctr instead of MAX_SESS_STKCTR BUG/MINOR: acl: set arg_list->kw to aclkw->kw string literal if aclkw is found BUG/MINOR: resolvers: always normalize FQDN from response William Lallemand (9): BUG/MEDIUM: ssl/clienthello: ECDSA with ssl-max-ver TLSv1.2 and no ECDSA ciphers DOC: configuration: add details on prefer-client-ciphers BUG/MINOR: httpclient: wrongly named httpproxy flag DOC: management: clarify usage of -V with -c MEDIUM: ssl/cli: relax crt insertion in crt-list of type directory DOC: unreliable sockpair@ on macOS DOC: configuration: confuse "strict-mode" with "zero-warning" BUILD: halog: misleading indentation in halog.c BUG/MEDIUM: ssl: ca-file directory mode must read every certificates of a file Willy Tarreau (20): BUG/MEDIUM: peers: also limit the number of incoming updates BUILD: tools: properly define ha_dump_backtrace() to avoid a build warning MINOR: http: add a function to validate characters of :authority BUG/MEDIUM: h2/h3: reject some forbidden chars in :authority before reassembly BUG/MEDIUM: h1/h2/h3: reject forbidden chars in the Host header field SCRIPTS: drop the HTML generation from announce-release BUG/MINOR: listener: really assign distinct IDs to shards BUILD: compat: provide relaxed versions of the MIN/MAX macros BUILD: compat: always set _POSIX_VERSION to ease comparisons BUG/MINOR: haproxy: be sure not to quit too early on soft stop BUILD: acl: silence a possible null deref warning in parse_acl_expr() REGTESTS: explicitly use "balance roundrobin" where RR is needed BUILD: trace: silence a bogus build warning at -Og BUG/MINOR: cpu_topo: work around a small bug in musl's CPU_ISSET() BUG/MINOR: activity: fix reporting of task latency BUG/MEDIUM: ring: invert the length check to avoid an int overflow OPTIM: sink: reduce contention on sink_announce_dropped() MINOR: ssl: add the ssl_bc_sni sample fetch function to retrieve backend SNI DOC: config: clarify some known limitations of the json_query() converter BUG/CRITICAL: mjson: fix possible DoS when parsing numbers zhanhb (2): BUG/MINOR: h2: forbid 'Z' as well in header field names checks BUG/MINOR: h3: forbid 'Z' as well in header field names checks --- Christopher Faulet
