Impact
The destructor of the JSON Object in Envoy can trigger a stack overflow when processing an object hierarchy that is over 100,000 levels deep. This stack-1124, and the known CWE list also includes CWE-776, indicating an additional weakness related to buffer handling. The overflow corrupts control data, causing the Envoy process to terminate unexpectedly. The immediate outcome is a denial of service to any service relying on that Envoy instance.
Affected Systems
Vulnerable versions are those older than Envoy 1.35.11, 1.36.7, 1.37.3, and 1.38.1. Any instance running those older releases that loads deeply nested configuration files can be vulnerable.
Risk and Exploitability
The CVSS score of 7.5 indicates a high‑severity denial‑of‑service flaw. The EPSS score is < 1%, and the vulnerability is not listed in the CISA KEV catalog, so the likelihood of exploitation in the wild is uncertain. The likely attack vector is an attacker supplying a deeply nested JSON configuration that is processed by Envoy, causing the stack overflow during object destruction. A malformed configuration could lead to a crash and service disruption.
OpenCVE Enrichment