Mushroomwasp

**Name of the Vulnerable Software and Affected Versions** Envoy versions prior to 1.34.13 Envoy versions 1.35.0 through 1.35.7 Envoy versions 1.36.0 through 1.36.4 Envoy versions 1.37.0 **Description** Envoy is a high-performance edge/middle/service proxy. A logic issue exists in Envoy’s HTTP connection manager (FilterManager) that can lead to a "Use-After-Free" (UAF) or state-corruption. This occurs when filter callbacks are invoked on an HTTP stream that has already been reset and cleaned up. The issue resides in the `FilterManager::decodeData` method within `source/common/http/filter manager.cc`. The `ActiveStream` object remains valid during deferred deletion. If a DATA frame arrives on this stream immediately after the reset, the HTTP/2 codec invokes `ActiveStream::decodeData`, which calls `FilterManager::decodeData`. This method fails to check the `saw downstream reset ` flag and iterates over the `decoder filters ` list, invoking `decodeData()` on filters that have already received `onDestroy()`. **Recommendations** Update to Envoy version 1.34.13 or later. Update to Envoy version 1.35.8 or later. Update to Envoy version 1.36.5 or later. Update to Envoy version 1.37.1 or later.