CVE-2019-15226

Name of the Vulnerable Software and Affected Versions Envoy versions 1.10.0 through 1.11.1

Description The issue allows a remote attacker to craft a request that consumes CPU, resulting in a denial-of-service attack. This is due to the implementation having O(n^2) performance characteristics when verifying the total size of request headers. The attack can be performed by sending a request with many thousands of small headers, staying below the maximum request header size.

Recommendations For Envoy versions 1.10.0 through 1.11.1, consider updating to a version that addresses this performance issue to prevent denial-of-service attacks. As a temporary workaround, consider restricting the number of headers allowed in incoming requests to minimize the risk of exploitation.