PT-2024-2651 · Envoy · Envoy
Bartek Nowotarski
·
Published
2024-01-05
·
Updated
2025-09-04
·
CVE-2024-30255
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Envoy versions prior to 1.29.3
Envoy versions prior to 1.28.2
Envoy versions prior to 1.27.4
Envoy versions prior to 1.26.8
Description
The HTTP/2 protocol stack in Envoy is vulnerable to CPU exhaustion due to a flood of CONTINUATION frames. This allows an attacker to send a sequence of CONTINUATION frames without the END HEADERS bit set, causing CPU utilization and culminating in denial of service through CPU exhaustion.
Recommendations
For versions prior to 1.29.3, upgrade to version 1.29.3 to mitigate the effects of the CONTINUATION flood.
For versions prior to 1.28.2, upgrade to version 1.28.2 to mitigate the effects of the CONTINUATION flood.
For versions prior to 1.27.4, upgrade to version 1.27.4 to mitigate the effects of the CONTINUATION flood.
For versions prior to 1.26.8, upgrade to version 1.26.8 to mitigate the effects of the CONTINUATION flood.
As a temporary workaround, consider disabling the HTTP/2 protocol for downstream connections.
Exploit
Fix
DoS
Resource Exhaustion
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Envoy