Hi, HAProxy 2.4.30 was released on 2025/10/03. It added 7 new commits after version 2.4.29.
As for other releases announced this morning, this one is mainly about the mjson fix. Indeed, an issue in the mjson JSON decoder causes number with large exponents to eat a lot of CPU and possibly even to trigger the watchdog and kill the process. It affects converters "json_query()", "jwt_header_query()", and "jwt_payload_query()". There's no work around for this because the issue is at a really low level in the decoder, so one cannot really count on a reasonable regex or such a thing to fix this. This bug was assigned CVE-2025-11230 and affects all versions featuring the JSON decoder, or 2.4 and above. Only an update will fix this. We'd like to thank Oula Kivalo for reporting the issue with a reproducer. As a note, we were notified that CVE-2023-30421 had already been assigned to the mjson library two years ago about the same issue but no fix had been issued and it was not mentioned in the project (though an issue about this was reported). The only other fix is about an issue in H2 where 'Z' character was not rejected as expected from header field names. Thanks to @zhanhb for the fix. Finally, the documentation about json_query() converter was improved to clarify some known limitations. Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Sources : https://www.haproxy.org/download/2.4/src/ Git repository : https://git.haproxy.org/git/haproxy-2.4.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy-2.4.git Changelog : https://www.haproxy.org/download/2.4/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages --- Complete changelog : Valentine Krasnobaeva (1): MINOR: compiler: add __nonstring macro Willy Tarreau (5): DOC: config: clarify some known limitations of the json_query() converter BUG/CRITICAL: mjson: fix possible DoS when parsing numbers BUILD: compiler: add a macro to detect if another one is set and equals 1 BUILD: compiler: fix __equals_1() on older compilers BUILD: compiler: add a default definition for __has_attribute() zhanhb (1): BUG/MINOR: h2: forbid 'Z' as well in header field names checks --- Christopher Faulet
