2020 Nomination for Best Server-Side Bug


Felix Wilhelm

A flaw was found in the way HAProxy (a widely used load balancer) processes certain HTTP/2 request packets. This flaw allows an attacker to send crafted HTTP/2 request packets, which cause memory corruption, leading to a crash or potential remote arbitrary code execution with the permissions of the process running HAProxy.

HAProxy: Out-of-Bounds Write in HTTP2 HPACK Dynamic TableCVE-2020-11100