Hi, HAProxy 2.8.16 was released on 2025/10/03. It added 110 new commits after version 2.8.15.
It is not the usual announce message describing all bugs fixed by this release. Here, only the critical fixes about the mjson JSON decoder will be described. The formal announce message will come quickly after that, by replying to this mail, most probably next Monday. So, as said, an issue in the mjson JSON decoder causes number with large exponents to eat a lot of CPU and possibly even to trigger the watchdog and kill the process. It affects converters "json_query()", "jwt_header_query()", and "jwt_payload_query()". There's no work around for this because the issue is at a really low level in the decoder, so one cannot really count on a reasonable regex or such a thing to fix this. This bug was assigned CVE-2025-11230 and affects all versions featuring the JSON decoder, or 2.4 and above. Only an update will fix this. We'd like to thank Oula Kivalo for reporting the issue with a reproducer. As a note, we were notified that CVE-2023-30421 had already been assigned to the mjson library two years ago about the same issue but no fix had been issued and it was not mentioned in the project (though an issue about this was reported). If you rely on one of the converters above, you must definitely upgrade. Otherwise, stay tune for the official announce message to have more info about this release. Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Q&A from devs : https://github.com/orgs/haproxy/discussions Sources : https://www.haproxy.org/download/2.8/src/ Git repository : https://git.haproxy.org/git/haproxy-2.8.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy-2.8.git Changelog : https://www.haproxy.org/download/2.8/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages --- Complete changelog : Amaury Denoyelle (17): MINOR: quic: extend return value during TP parsing BUG/MINOR: quic: use proper error code on missing CID in TPs BUG/MINOR: quic: use proper error code on invalid server TP BUG/MINOR: quic: reject retry_source_cid TP on server side BUG/MINOR: quic: use proper error code on invalid received TP value BUG/MINOR: quic: fix TP reject on invalid max-ack-delay BUG/MINOR: quic: reject invalid max_udp_payload size BUG/MINOR: mux-quic: do not decode if conn in error BUG/MINOR: config/server: reject QUIC addresses DOC: list missing global QUIC settings BUG/MINOR: mux-h1: fix wrong lock label BUG/MINOR: quic: do not emit probe data if CONNECTION_CLOSE requested MINOR: doc: add missing statistics column MINOR: doc: add missing statistics column BUG/MINOR: quic: fix room check if padding requested OPTIM: check: do not delay MUX for ALPN if SSL not active BUG/MEDIUM: checks: fix ALPN inheritance from server Aurelien DARRAGON (10): MINOR: applet: add appctx_schedule() macro BUG/MINOR: dns: add tempo between 2 connection attempts for dns servers CLEANUP: dns: remove unused dns_stream_server struct member BUG/MINOR: dns: prevent ds accumulation within dss BUG/MINOR: proxy: only use proxy_inc_fe_cum_sess_ver_ctr() with frontends BUG/MINOR: cli: fix too many args detection for commands BUG/MINOR: threads: fix soft-stop without multithreading support BUG/MINOR: sink: detect and warn when using "send-proxy" options with ring servers DOC: config: restore default values for resolvers hold directive BUG/MINOR: hlua: take default-path into account with lua-load-per-thread Christopher Faulet (35): BUG/MINOR: cli: Issue an error when too many args are passed for a command BUG/MINOR: mux-h1: Don't pretend connection was released for TCP>H1>H2 upgrade BUG/MINOR: mux-h1: Fix trace message in h1_detroy() to not relay on connection BUG/MINOR: hlua: Fix Channel:data() and Channel:line() to respect documentation MEDIUM: hlua: Add function to change the body length of an HTTP Message BUG/MINOR: mux-h2: Reset streams with NO_ERROR code if full response was already sent BUG/MINOR: h3: Set HTX flags corresponding to the scheme found in the request REGTESTS: Make the script testing conditional set-var compatible with Vtest2 CI: vtest: Rely on VTest2 to run regression tests REGTESTS: Explicitly allow failing shell commands in some scripts BUG/MEDIUM: httpclient: Throw an error if an lua httpclient instance is reused DOC: hlua: Add a note to warn user about httpclient object reuse BUG/MEDIUM: check: Requeue healthchecks on I/O events to handle check timeout BUG/MEDIUM: check: Set SOCKERR by default when a connection error is reported BUG/MINOR: stream: Avoid recursive evaluation for unique-id based on itself BUG/MINOR: log: Be able to use %ID alias at anytime of the stream's evaluation BUG/MEDIUM: hlua: Forbid any L6/L7 sample fetche functions from lua services BUG/MEDIUM: mux-h2: Properly handle connection error during preface sending BUG/MINOR: hlua: Skip headers when a receive is performed on an HTTP applet BUG/MEDIUM: hlua: Report to SC when data were consumed on a lua socket BUG/MEDIUM: hlua: Report to SC when output data are blocked on a lua socket BUG/MEDIUM: dns: Reset reconnect tempo when connection is finally established BUG/MEDIUM: http-client: Don't wake http-client applet if nothing was xferred BUG/MEDIUM: http-client: Properly inc input data when HTX blocks are xferred BUG/MEDIUM: http-client: Ask for more room when request data cannot be xferred BUG/MINOR: http-client: Ignore 1XX interim responses in non-HTX mode BUG/MINOR: http-client: Reject any 101-switching-protocols response BUG/MEDIUM: http-client: Drain the request if an early response is received BUG/MEDIUM: http-client: Notify applet has more data to deliver until the EOM BUG/MINOR: applet: Don't trigger BUG_ON if the tid is not on appctx init BUG/MEDIUM: http-client: Test HTX_FL_EOM flag before commiting the HTX buffer BUG/MEDIUM: server: Duplicate healthcheck's alpn inherited from default server BUG/MINOR: server: Update healthcheck when server settings are changed via CLI BUG/MINOR: h3: Fix errors introduced because of failed backport Revert "BUG/MINOR: config/server: reject QUIC addresses" Frederic Lecaille (3): CLEANUP: quic: Useless BIO_METHOD initialization MINOR: quic: Add useful error traces about qc_ssl_sess_init() failures BUG/MINOR: quic: wrong QUIC_FT_CONNECTION_CLOSE(0x1c) frame encoding Lukas Tribus (3): DOC: ring: refer to newer RFC5424 DOC: management: fix typo in commit f4f93c56 DOC: config: recommend single quoting passwords Olivier Houchard (6): BUG/MEDIUM: fd: Use the provided tgid in fd_insert() to get tgroup_info BUG/MEDIUM: threads: Disable the workaround to load libgcc_s on macOS BUG/MEDIUM: ssl: Fix 0rtt to the server BUG/MEDIUM: ssl: fix build with AWS-LC BUG/MEDIUM: h1: Allow reception if we have early data BUG/MEDIUM: ssl: create the mux immediately on early data Remi Tricot-Le Breton (4): BUG/MINOR: jwt: Copy input and parameters in dedicated buffers in jwt_verify converter DOC: Fix 'jwt_verify' converter doc BUG/MINOR: init: Initialize random seed earlier in the init process BUG/MINOR: ocsp: Crash when updating CA during ocsp updates Valentine Krasnobaeva (8): BUG/MINOR: limits: compute_ideal_maxconn: don't cap remain if fd_hard_limit=0 BUG/MINOR: init: relax LSTCHK_NETADM checks for non root MINOR: compiler: add __nonstring macro DOC: config: prefer-last-server: add notes for non-deterministic algorithms BUG/MINOR: halog: exit with error when some output filters are set simultaneosly BUG/MINOR: stick-table: cap sticky counter idx with tune.nb_stk_ctr instead of MAX_SESS_STKCTR BUG/MINOR: acl: set arg_list->kw to aclkw->kw string literal if aclkw is found BUG/MINOR: resolvers: always normalize FQDN from response William Lallemand (6): BUG/MEDIUM: ssl/clienthello: ECDSA with ssl-max-ver TLSv1.2 and no ECDSA ciphers DOC: configuration: add details on prefer-client-ciphers DOC: management: clarify usage of -V with -c DOC: unreliable sockpair@ on macOS DOC: configuration: confuse "strict-mode" with "zero-warning" BUG/MEDIUM: ssl: ca-file directory mode must read every certificates of a file Willy Tarreau (16): BUG/MAJOR: listeners: transfer connection accounting when switching listeners DOC: config: recommend disabling libc-based resolution with resolvers BUG/MINOR: h3: don't insert more than one Host header BUILD: makefile: enable backtrace by default on musl DOC: hlua: fix a few typos in HTTPMessage.set_body_len() documentation MINOR: http: add a function to validate characters of :authority BUG/MEDIUM: h2/h3: reject some forbidden chars in :authority before reassembly BUG/MEDIUM: h1/h2/h3: reject forbidden chars in the Host header field SCRIPTS: drop the HTML generation from announce-release BUG/MINOR: listener: really assign distinct IDs to shards BUILD: compat: always set _POSIX_VERSION to ease comparisons BUG/MINOR: haproxy: be sure not to quit too early on soft stop BUILD: acl: silence a possible null deref warning in parse_acl_expr() BUG/MINOR: activity: fix reporting of task latency DOC: config: clarify some known limitations of the json_query() converter BUG/CRITICAL: mjson: fix possible DoS when parsing numbers zhanhb (2): BUG/MINOR: h2: forbid 'Z' as well in header field names checks BUG/MINOR: h3: forbid 'Z' as well in header field names checks --- Christopher Faulet
