Data & Insight

Expanding Coverage: Web Proxies, Message Queues, and the Infrastructure Layer AI Stacks Depend On

RobertUpdated May 2, 20265 min read
Dark background. Large centre text in white monospace: 'Web proxies. Message queues. Neither shows up in your dependency scan.' Below it two small teal badges side by side: BATCH 3 and BATCH 4. Bottom right: > attestd in teal. Nothing else. Flat design, no photographs.

Expanding Coverage: Web Proxies, Message Queues, and the Infrastructure Layer AI Stacks Depend On#

Two new ecosystem batches are live on Attestd. 12 new infrastructure products added. Coverage moves from 27 to 39.

Batch 3 - Web, Proxy, and Reverse Proxy: HAProxy, Squid, Traefik, Jetty, Varnish Cache, Caddy

Batch 4 - Messaging and Queue: Apache ActiveMQ, Apache Kafka, RabbitMQ, Mosquitto, Apache Pulsar, ZeroMQ

Why these two layers matter#

Application-level security scanning does not reach either of them.

Snyk, Dependabot, and pip audit scan dependency manifests. HAProxy, Traefik, Squid, ActiveMQ, and Kafka are infrastructure. They do not appear in a Python requirements.txt or a Go go.mod. The only way to know whether you are running a vulnerable version is to check a CVE source with the product name and version string. That is what these two batches are for.

The web proxy layer is the entry point for every request into an infrastructure stack. A CVE in HAProxy or Traefik affects every downstream service regardless of how well those services are secured. It is also invisible to application scanning because application scanning does not instrument the proxy binary.

The messaging layer is directly downstream of model serving in most agent architectures. The common pattern: an inference endpoint produces an event to Kafka or ActiveMQ, a consumer processes it and takes an action. A critical CVE at the message broker means attacker-controlled code runs on the host that processes model outputs, with access to every credential and configuration in that environment.

The anchor: CVE-2023-46604 (Apache ActiveMQ)#

This is the most significant CVE in either batch.

CVE-2023-46604 is a pre-authentication remote code execution vulnerability in Apache ActiveMQ's OpenWire protocol handler. CVSS 10.0. Listed in the CISA KEV catalog. Actively used in ransomware campaigns including HelloKitty and TellYouThePass within weeks of public disclosure.

The mechanism: an attacker sends a crafted ExceptionResponse over OpenWire (default port 61616) that triggers ClassPathXmlApplicationContext to load a remote XML configuration file and instantiate arbitrary Java beans. No credentials required. The attacker controls what code runs on the broker host.

Fixed in versions 5.15.16, 5.16.7, 5.17.6, and 5.18.3. Any ActiveMQ instance on an older minor branch is affected.

curl "https://api.attestd.io/v1/check?product=apache_activemq&version=5.15.14" \
  -H "Authorization: Bearer YOUR_API_KEY" | jq .

{
  "product": "apache_activemq",
  "version": "5.15.14",
  "supported": true,
  "risk_state": "critical",
  "actively_exploited": true,
  "remote_exploitable": true,
  "authentication_required": false,
  "patch_available": true,
  "fixed_version": "5.15.16",
  "confidence": 0.95,
  "last_updated": "2026-05-01T10:00:00Z"
}

Other high-severity findings#

Traefik - CVE-2024-45410 (CVSS 9.8)#

HTTP header injection in Traefik's HTTP/1.1 request handling. Attacker-controlled header values are forwarded to upstream services without sanitisation. In a Kubernetes ingress configuration, injected headers reach every internal service behind the proxy simultaneously, potentially bypassing authentication or poisoning downstream trust decisions.

Affects Traefik before 2.11.8 and 3.1.5.

Traefik is the dominant ingress controller in container-native AI deployments. Every request to a model serving endpoint goes through it.

Squid - CVE-2023-49285 (CVSS 9.8)#

Buffer over-read in HTTP request header parsing. A crafted status line triggers the vulnerability. Unauthenticated, remotely exploitable, no user interaction required. Affects Squid before 6.5.

ZeroMQ - CVE-2019-13132 (CVSS 9.8)#

Stack overflow via crafted SUBSCRIBE message, enabling remote code execution. Affects libzmq before 4.3.2.

This one requires context. ZeroMQ is a direct dependency of Jupyter kernels. Every Jupyter notebook server running a kernel has libzmq loaded in process. The attack surface here is not a message broker -- it is every client that embeds the library, which includes most data science and AI development environments.

HAProxy - CVE-2021-40346 and CVE-2023-45539#

CVE-2021-40346 is HTTP request smuggling via integer overflow in htx_add_header. Crafted Content-Length header values trigger an overflow that allows smuggled requests to reach backends appearing to originate from the proxy itself, bypassing WAF rules and authentication middleware.

CVE-2023-45539 is header injection via an unstripped hash character in URI paths. Affects HAProxy before 2.8.5.

HAProxy is its own CNA, which means its NVD records consistently have full version range data. The synthesis quality on HAProxy records is high.

Checking your stack#

All 12 products are available via the standard /v1/check endpoint.

from attestd import Client
 
client = Client(api_key="YOUR_API_KEY")
 
stack = {
    "apache_activemq": "5.15.14",
    "apache_kafka": "2.8.0",
    "traefik": "2.10.0",
    "haproxy": "2.6.0",
    "squid": "5.9",
    "rabbitmq": "3.11.0",
}
 
for product, version in stack.items():
    result = client.check(product, version)
    if result.risk_state in ("critical", "high", "elevated"):
        print(f"{product} {version}: {result.risk_state}")
        if result.fixed_version:
            print(f"  Fix: {result.fixed_version}")

Technical decisions worth noting#

Three products in this expansion required dual CPE namespace handling. Jetty has pre-Eclipse Foundation CVEs under mortbay:jetty and post-adoption CVEs under eclipse:jetty. RabbitMQ has pre-VMware acquisition CVEs under pivotal_software:rabbitmq and post-acquisition CVEs under vmware:rabbitmq. Varnish Cache has a historical project naming split across two namespaces. Attestd queries both namespaces in each case and deduplicates on CVE ID, the same pattern used for nginx and Docker Engine.

Two products were evaluated and deferred. nginx Unit had two total CVE records in NVD, both sentinel (no usable version ranges). NATS had zero non-sentinel records across both known CPE namespaces. Neither had enough data to produce reliable version-level synthesis. They are documented for re-evaluation as NVD coverage improves.

Get an API key at api.attestd.io/portal/login. Free tier, 1,000 calls a month, no credit card required.