Bartosz Borkowski

**Name of the Vulnerable Software and Affected Versions** Envoy versions 1.14.2, 1.13.2, 1.12.4 or earlier **Description** The issue arises when an HTTP/2 client requests a large payload but fails to send sufficient window updates to consume the entire stream and does not reset the stream, leading to increased memory usage. **Recommendations** For Envoy versions 1.14.2, 1.13.2, 1.12.4 or earlier, consider restricting the size of payloads from HTTP/2 clients or implementing measures to handle streams that are not properly consumed, such as resetting streams after a certain period of inactivity, until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.