Shachar Menashe

**Name of the Vulnerable Software and Affected Versions** Envoy versions prior to 1.22.1 **Description** The issue is related to the decode/encodeBody component of the Envoy proxy, which can lead to uncontrolled resource consumption. An attacker can exploit this by sending a specially crafted zip file, potentially causing a denial of service due to system memory exhaustion. This can be achieved by zip bombing the decompressor, where a small highly compressed payload is sent. **Recommendations** For versions prior to 1.22.1, users are advised to upgrade to a newer version to resolve the issue. As a temporary workaround, consider disabling decompression for users unable to upgrade.

**Name of the Vulnerable Software and Affected Versions** CivetWeb (affected versions not specified) **Description** The issue concerns the CivetWeb web library, which does not validate uploaded filepaths when running on an operating system other than Windows. This occurs when using the built-in HTTP form-based file upload mechanism via the `mg handle form request` API. Web applications that use the file upload form handler and include parts of the user-controlled filename in the output path are susceptible to directory traversal. An attacker could exploit this vulnerability by sending a specially crafted HTTP request, potentially allowing remote code execution. **Recommendations** As a temporary workaround, consider disabling the `mg handle form request` API function until a patch is available. Restrict access to the file upload form handler to minimize the risk of exploitation. Avoid using parts of the user-controlled filename in the output path. At the moment, there is no information about a newer version that contains a fix for this vulnerability.