Nikolas Koutounidis

**Name of the Vulnerable Software and Affected Versions** Envoy versions prior to 1.16.5 Envoy versions prior to 1.17.4 Envoy versions prior to 1.18.4 Envoy versions prior to 1.19.1 **Description** The procedure for resetting an HTTP/2 stream in Envoy has O(N^2) complexity, leading to high CPU utilization when a large number of streams are reset. This makes deployments susceptible to Denial of Service when Envoy is configured with a high limit on HTTP/2 concurrent streams. An attacker would need to open and close a large number of HTTP/2 streams to exploit this issue. **Recommendations** For versions prior to 1.16.5, update to version 1.16.5 or later to reduce the time complexity of resetting HTTP/2 streams. For versions prior to 1.17.4, update to version 1.17.4 or later to reduce the time complexity of resetting HTTP/2 streams. For versions prior to 1.18.4, update to version 1.18.4 or later to reduce the time complexity of resetting HTTP/2 streams. For versions prior to 1.19.1, update to version 1.19.1 or later to reduce the time complexity of resetting HTTP/2 streams. As a temporary workaround, consider limiting the number of simultaneous HTTP/2 streams for upstream and downstream peers to a low number, such as 100.