Matt Klein

**Name of the Vulnerable Software and Affected Versions** Envoy versions prior to 1.15.0 **Description** The issue arises because Envoy only considers the first value when multiple header values are present for some HTTP headers. Additionally, Envoy's setCopy() header map API does not replace all existing occurrences of a non-inline header. **Recommendations** For versions prior to 1.15.0, update to version 1.15.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of the setCopy() header map API to minimize the risk of exploitation. Avoid using non-inline headers in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Envoy versions 1.14.2, 1.13.2, 1.12.4 or earlier **Description** The issue arises when an HTTP/2 client requests a large payload but fails to send sufficient window updates to consume the entire stream and does not reset the stream, leading to increased memory usage. **Recommendations** For Envoy versions 1.14.2, 1.13.2, 1.12.4 or earlier, consider restricting the size of payloads from HTTP/2 clients or implementing measures to handle streams that are not properly consumed, such as resetting streams after a certain period of inactivity, until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.