CVE-2024-27919
Published: 04 April 2024
Summary
CVE-2024-27919 is a high-severity Detection of Error Condition Without Action (CWE-390) vulnerability in Envoyproxy Envoy. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 3.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Envoy, the open-source edge and service proxy, contains a denial-of-service vulnerability in its HTTP/2 protocol stack affecting versions 1.29.0 and 1.29.1. The codec fails to reset a request once configured header-map limits are exceeded, allowing an unbounded sequence of CONTINUATION frames that lack the END_HEADERS flag and therefore consume memory without bound. The issue is a regression introduced only in those two releases and is tracked as CWE-390.
An unauthenticated network attacker can open an HTTP/2 connection to an affected Envoy instance and transmit a flood of such frames, driving memory exhaustion on the proxy and resulting in denial of service. The CVSS 7.5 vector reflects network attack reach, low complexity, and no required credentials or user interaction, with the sole impact being high availability loss.
Official guidance directs users to upgrade immediately to Envoy 1.29.2. Where an upgrade is not feasible, the documented workarounds are to downgrade to 1.28.1 or earlier or to disable HTTP/2 on downstream listeners. The fix is recorded in the project’s security advisory GHSA-gghf-vfxp-799r and the associated commit.
The EPSS score has remained at 0.2388 with no material post-disclosure increase.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-25106
Vulnerability details
Envoy is a cloud-native, open-source edge and service proxy. In versions 1.29.0 and 1.29.1, theEnvoy HTTP/2 protocol stack is vulnerable to the flood of CONTINUATION frames. Envoy's HTTP/2 codec does not reset a request when header map limits have been…
more
exceeded. This allows an attacker to send an sequence of CONTINUATION frames without the END_HEADERS bit set causing unlimited memory consumption. This can lead to denial of service through memory exhaustion. Users should upgrade to versions 1.29.2 to mitigate the effects of the CONTINUATION flood. Note that this vulnerability is a regression in Envoy version 1.29.0 and 1.29.1 only. As a workaround, downgrade to version 1.28.1 or earlier or disable HTTP/2 protocol for downstream connections.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requires explicit action (alert plus additional responses) on audit logging failures rather than detecting the error condition without acting.
The control mandates response actions to address results from monitoring and assessments, preventing detection of error conditions without subsequent corrective action.
Procedures require detection of error/incident conditions followed by defined response actions.
IR testing verifies that detected error conditions trigger appropriate response actions rather than being ignored.
The containment, eradication, and recovery steps ensure detected incidents trigger concrete actions rather than no response.
Provides assistance for handling incidents, ensuring detected error conditions lead to appropriate user actions rather than inaction.
Requires response actions to analysis of monitoring data, directly preventing detection of error conditions without follow-up action.
Reporting on security performance measures requires confirming that detected error conditions trigger appropriate actions rather than being ignored.