Envoy HTTP/2 Protocol Vulnerable to CPU Exhaustion Due to CONTINUATION Frame Flood
CVE-2024-30255
Key Information:
- Vendor
Envoyproxy
- Status
- Vendor
- CVE Published:
- 4 April 2024
Badges
What is CVE-2024-30255?
The Envoy Proxy's implementation of the HTTP/2 protocol exhibits a vulnerability that allows attackers to exhaust CPU resources via an uncontrolled influx of CONTINUATION frames. This behavior is prevalent in Envoy versions released before 1.29.3, 1.28.2, 1.27.4, and 1.26.8. An attacker can exploit this flaw to send numerous CONTINUATION frames that exceed the predefined header map limits, leading to high CPU utilization β approximately one core per 300Mbit/s of traffic being directed at the service. This results in significant service disruption through denial of service as the system struggles to handle incoming requests. To protect systems, it's recommended that users upgrade to the latest versions or disable HTTP/2 protocol for affected downstream connections.
Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.
Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.
Affected Version(s)
envoy >= 1.29.0, < 1.29.3 < 1.29.0, 1.29.3
envoy >= 1.28.0, < 1.28.2 < 1.28.0, 1.28.2
envoy >= 1.27.0, < 1.27.4 < 1.27.0, 1.27.4
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
EPSS Score
88% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- π‘
Public PoC available
- πΎ
Exploit known to exist
Vulnerability published