CVE-2020-12604

Name of the Vulnerable Software and Affected Versions Envoy versions 1.14.2, 1.13.2, 1.12.4 or earlier

Description The issue arises when an HTTP/2 client requests a large payload but fails to send sufficient window updates to consume the entire stream and does not reset the stream, leading to increased memory usage.

Recommendations For Envoy versions 1.14.2, 1.13.2, 1.12.4 or earlier, consider restricting the size of payloads from HTTP/2 clients or implementing measures to handle streams that are not properly consumed, such as resetting streams after a certain period of inactivity, until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.