Upon receiving each incoming request header data, Envoy will iterate over existing request headers to verify that the total size of the headers stays below a maximum limit. The implementation in versions 1.10.0 through 1.11.1 for HTTP/1.x traffic and all versions of Envoy for HTTP/2 traffic had O(n^2) performance characteristics. A remote attacker may craft a request that stays below the maximum request header size but consists of many thousands of small headers to consume CPU and result in a denial-of-service attack.
2019-10-09T16:15:14.687
2024-11-21T04:28:14.570
Modified
CVSSv3.1: 7.5 (HIGH)
AV:N/AC:L/Au:N/C:N/I:N/A:C
10.0
6.9
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Application | envoyproxy | envoy | 1.0.0 | Yes |
| Application | envoyproxy | envoy | 1.1.0 | Yes |
| Application | envoyproxy | envoy | 1.2.0 | Yes |
| Application | envoyproxy | envoy | 1.3.0 | Yes |
| Application | envoyproxy | envoy | 1.4.0 | Yes |
| Application | envoyproxy | envoy | 1.5.0 | Yes |
| Application | envoyproxy | envoy | 1.6.0 | Yes |
| Application | envoyproxy | envoy | 1.7.0 | Yes |
| Application | envoyproxy | envoy | 1.7.1 | Yes |
| Application | envoyproxy | envoy | 1.8.0 | Yes |
| Application | envoyproxy | envoy | 1.9.0 | Yes |
| Application | envoyproxy | envoy | 1.9.1 | Yes |
| Application | envoyproxy | envoy | 1.10.0 | Yes |
| Application | envoyproxy | envoy | 1.11.0 | Yes |
| Application | envoyproxy | envoy | 1.11.1 | Yes |
| Application | envoyproxy | envoy | 1.11.2 | Yes |