Denial of Service Vulnerability in Envoy's HTTP/2 Protocol Stack
CVE-2024-27919

7.5HIGH

Key Information:

Vendor: Envoyproxy
Status: Envoy
Vendor: CVE Published:; 4 April 2024

What is CVE-2024-27919?

A vulnerability exists in Envoy's HTTP/2 protocol stack in versions 1.29.0 and 1.29.1 that enables an attacker to exploit the continuous sending of CONTINUATION frames. This occurs when the codec fails to reset a request after the header map limits have exceeded, potentially causing unlimited memory consumption which leads to a denial of service through memory exhaustion. To mitigate this issue, users are advised to upgrade to version 1.29.2 or later. As an alternative workaround, downgrading to version 1.28.1 or earlier, or disabling HTTP/2 protocol for downstream connections, is recommended.

Affected Version(s)

envoy >= 1.29.0, < 1.29.2

References

https://github.com/envoyproxy/envoy/security/advisories/G...

x_refsource_CONFIRM

https://github.com/envoyproxy/envoy/commit/57a02565532c18...

x_refsource_MISC

http://www.openwall.com/lists/oss-security/2024/04/05/3

EPSS Score

86% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 4, 2024

CVE-2024-27919 Data

JSON

Envoyproxy

What is CVE-2024-27919?

Affected Version(s)

References

EPSS Score

CVSS V3.1

Timeline