Hi, On 4/15/25 19:45, Camila Camargo de Matos wrote: > Dear HAProxy team, > > I write to you today to ask more about the issue being described in the > following commit: > > https://git.haproxy.org/? > p=haproxy-3.0.git;a=commitdiff;h=52d8b01acdc1e21aeda985c87a9ad1229149d3f2 > > To be more specific, I ask about the crash which is said to be caused by > a use-after-free (UAF) condition. Would it be possible to confirm if > said issue is considered security-relevant by the HAProxy team?
Issue has very limited scope. Only Lua scripts defining custom cli (through "core.register_cli()") are at risk. Moreover the issue requires a specific combination of events on the stats socket (which is rarely found to be exposed to users) for the issue to show up. It was an opportunistic discovery when playing with an experimental Lua script which is really unconventional and tackles Lua engine limitations. Plus it doesn't seem to be reproducible on older haproxy versions. All things consider, I really don't think we should consider this as being at risk from a security point of view. Kind regards, Aurelien
