cbcvebase.
CVE-2024-27919
published 2024-04-04

CVE-2024-27919: Envoy is a cloud-native, open-source edge and service proxy. In versions 1.29.0 and 1.29.1, theEnvoy HTTP/2 protocol stack is vulnerable to the flood of…

PriorityP261high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
86.75%
99.7th percentile
Envoy is a cloud-native, open-source edge and service proxy. In versions 1.29.0 and 1.29.1, theEnvoy HTTP/2 protocol stack is vulnerable to the flood of CONTINUATION frames. Envoy's HTTP/2 codec does not reset a request when header map limits have been exceeded. This allows an attacker to send an sequence of CONTINUATION frames without the END_HEADERS bit set causing unlimited memory consumption. This can lead to denial of service through memory exhaustion. Users should upgrade to versions 1.29.2 to mitigate the effects of the CONTINUATION flood. Note that this vulnerability is a regression in Envoy version 1.29.0 and 1.29.1 only. As a workaround, downgrade to version 1.28.1 or earlier or disable HTTP/2 protocol for downstream connections.

Affected

3 ranges
VendorProductVersion rangeFixed in
envoyproxyenvoy
envoyproxyenvoy
envoyproxyenvoy

Detection & IOCsextracted from sources · hover to see the quote

  • Detect HTTP/2 CONTINUATION frame floods: look for streams with a high volume of CONTINUATION frames sent without the END_HEADERS bit set, which indicates potential exploitation of this vulnerability.
  • Monitor Envoy proxy processes for abnormal memory growth or exhaustion, which may indicate an active CONTINUATION flood attack against HTTP/2 downstream connections.
  • The vulnerability is specific to Envoy's oghttp codec implementation — focus detection efforts on Envoy instances using the oghttp codec with HTTP/2 enabled on downstream connections.
  • Unauthenticated remote attackers can trigger this — ensure network-level monitoring covers unauthenticated HTTP/2 traffic to Envoy endpoints, not just authenticated sessions.
  • ·Vulnerability is a regression present ONLY in Envoy versions 1.29.0 and 1.29.1. Versions 1.28.x and earlier are NOT affected. Scope detection and patching efforts accordingly.
  • ·As a workaround, HTTP/2 protocol can be disabled for downstream connections to eliminate the attack surface without upgrading.
  • ·No Red Hat products ship a vulnerable version of Envoy; all listed Red Hat packages are confirmed not affected.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.