Hi, HAProxy 2.6.23 was released on 2025/10/03. It added 35 new commits after version 2.6.22.
It is not the usual announce message describing all bugs fixed by this release. Here, only the critical fixes about the mjson JSON decoder will be described. The formal announce message will come quickly after that, by replying to this mail, most probably next Monday. So, as said, an issue in the mjson JSON decoder causes number with large exponents to eat a lot of CPU and possibly even to trigger the watchdog and kill the process. It affects converters "json_query()", "jwt_header_query()", and "jwt_payload_query()". There's no work around for this because the issue is at a really low level in the decoder, so one cannot really count on a reasonable regex or such a thing to fix this. This bug was assigned CVE-2025-11230 and affects all versions featuring the JSON decoder, or 2.4 and above. Only an update will fix this. We'd like to thank Oula Kivalo for reporting the issue with a reproducer. As a note, we were notified that CVE-2023-30421 had already been assigned to the mjson library two years ago about the same issue but no fix had been issued and it was not mentioned in the project (though an issue about this was reported). If you rely on one of the converters above, you must definitely upgrade. Otherwise, stay tune for the official announce message to have more info about this release. Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Sources : https://www.haproxy.org/download/2.6/src/ Git repository : https://git.haproxy.org/git/haproxy-2.6.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy-2.6.git Changelog : https://www.haproxy.org/download/2.6/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages --- Complete changelog : Amaury Denoyelle (7): MINOR: quic: extend return value during TP parsing BUG/MINOR: quic: use proper error code on missing CID in TPs BUG/MINOR: quic: use proper error code on invalid server TP BUG/MINOR: quic: reject retry_source_cid TP on server side BUG/MINOR: quic: use proper error code on invalid received TP value BUG/MINOR: quic: fix TP reject on invalid max-ack-delay BUG/MINOR: quic: reject invalid max_udp_payload size Aurelien DARRAGON (5): MINOR: applet: add appctx_schedule() macro BUG/MINOR: dns: add tempo between 2 connection attempts for dns servers BUG/MINOR: cli: fix too many args detection for commands BUG/MINOR: sink: detect and warn when using "send-proxy" options with ring servers DOC: config: restore default values for resolvers hold directive Christopher Faulet (10): BUG/MINOR: cli: Issue an error when too many args are passed for a command BUG/MINOR: mux-h1: Don't pretend connection was released for TCP>H1>H2 upgrade BUG/MINOR: mux-h1: Fix trace message in h1_detroy() to not relay on connection BUG/MINOR: hlua: Fix Channel:data() and Channel:line() to respect documentation MEDIUM: hlua: Add function to change the body length of an HTTP Message BUG/MINOR: mux-h2: Reset streams with NO_ERROR code if full response was already sent BUG/MINOR: h3: Set HTX flags corresponding to the scheme found in the request REGTESTS: Make the script testing conditional set-var compatible with Vtest2 CI: vtest: Rely on VTest2 to run regression tests REGTESTS: Explicitly allow failing shell commands in some scripts Frederic Lecaille (2): CLEANUP: quic: Useless BIO_METHOD initialization MINOR: quic: Add useful error traces about qc_ssl_sess_init() failures Lukas Tribus (1): DOC: ring: refer to newer RFC5424 Valentine Krasnobaeva (2): BUG/MINOR: limits: compute_ideal_maxconn: don't cap remain if fd_hard_limit=0 MINOR: compiler: add __nonstring macro Willy Tarreau (6): DOC: config: recommend disabling libc-based resolution with resolvers DOC: config: clarify some known limitations of the json_query() converter BUG/CRITICAL: mjson: fix possible DoS when parsing numbers BUILD: compiler: add a macro to detect if another one is set and equals 1 BUILD: compiler: fix __equals_1() on older compilers BUILD: compiler: add a default definition for __has_attribute() zhanhb (2): BUG/MINOR: h2: forbid 'Z' as well in header field names checks BUG/MINOR: h3: forbid 'Z' as well in header field names checks --- Christopher Faulet
