CVE-2020-25017

Name of the Vulnerable Software and Affected Versions Envoy versions prior to 1.15.0

Description The issue arises because Envoy only considers the first value when multiple header values are present for some HTTP headers. Additionally, Envoy's setCopy() header map API does not replace all existing occurrences of a non-inline header.

Recommendations For versions prior to 1.15.0, update to version 1.15.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of the setCopy() header map API to minimize the risk of exploitation. Avoid using non-inline headers in the affected API endpoints until the issue is resolved.