Impact
This vulnerability allows an unauthenticated remote client to trigger memory exhaustion in Envoy by exploiting two behaviors in its HTTP/2 downstream request processing. Cookie header bytes are not fully counted during request header size validation, and HPACK header block limits are enforced only on the encoded header data, not on the total decoded size. An attacker can craft request headers that bypass the size check, causing Envoy to allocate large decoded header buffers and consume memory, which can lead to an OOM termination of the Envoy process and a denial of service. The flaw affects Envoy releases older than 1.35.11, 1.36.7, 1.37.3, or 1.38.1; those specific versions contain a fix. No complete workaround is known except applying the patch, though administrators may disable HTTP/2, enforce stricter header limits, and monitor memory usage for abnormal growth.
Affected Systems
Envoy, the open‑source edge and service proxy, is impacted. Releases older than 1.35.11, 1.36.7, 1.37.3, or 1.38.1 are vulnerable; deployments using those versions and relying on HTTP/2 are at risk.
Risk and Exploitability
The CVSS score of 7.5 classifies this vulnerability as medium–high severity. The EPSS score of 0.00556 (approximately < 1 %) indicates a very low probability that it will be exploited in the wild. It is not listed in CISA’s KEV catalog, suggesting no publicly known exploits. The flaw can be triggered remotely over HTTP/2 without authentication or local privileges, so exposed Envoy deployments remain at risk.
OpenCVE Enrichment