CVE-2024-45807
published 2024-09-20CVE-2024-45807: Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy's 1.31 is using `oghttp` as the default HTTP/2 codec, and there are potential bugs…
PriorityP338high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.50%
38.7th percentile
Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy's 1.31 is using `oghttp` as the default HTTP/2 codec, and there are potential bugs around stream management in the codec. To resolve this Envoy will switch off the `oghttp2` by default. The impact of this issue is that envoy will crash. This issue has been addressed in release version 1.31.2. All users are advised to upgrade. There are no known workarounds for this issue.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| envoyproxy | envoy | — | — |
| envoyproxy | envoy | >= 1.31.0 < 1.31.2 | 1.31.2 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
envoy: Oghttp2 crash on `OnBeginHeadersForStream`
vendor_redhat·2024-09-20·CVSS 7.5
CVE-2024-45807 [HIGH] CWE-670 envoy: Oghttp2 crash on `OnBeginHeadersForStream`
envoy: Oghttp2 crash on `OnBeginHeadersForStream`
Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy's 1.31 is using `oghttp` as the default HTTP/2 codec, and there are potential bugs around stream management in the codec. To resolve this Envoy will switch off the `oghttp2` by default. The impact of this issue is that envoy will crash. This issue has been addressed in release version 1.31.2. All users are advised to upgrade. There are no known workarounds for this issue.
A flaw was found in Envoy. Affected version of Envoy are using `oghttp` as the default HTTP/2 codec, and there are potential bugs around stream management in the codec. To resolve this issue, Envoy will switch off the `oghttp2` by default. This issue may cause envoy to crash.
Statement: The issue
VulDB
Envoy 1.31.0/1.31.1 control flow (GHSA-qc52-r4x5-9w37 / Nessus ID 313613)
vuldb·2026-05-10·CVSS 7.5
CVE-2024-45807 [HIGH] Envoy 1.31.0/1.31.1 control flow (GHSA-qc52-r4x5-9w37 / Nessus ID 313613)
A vulnerability classified as critical was found in Envoy 1.31.0/1.31.1. This issue affects some unknown processing. Executing a manipulation can lead to incorrect control flow.
The identification of this vulnerability is CVE-2024-45807. The attack may be launched remotely. There is no exploit available.
Upgrading the affected component is advised.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-09-20
Published