Cyber Resilience

CVE-2024-27919

High

Published: 04 April 2024

Published
04 April 2024
Modified
04 November 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.2388 96.1th percentile
Risk Priority 29 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-27919 is a high-severity Detection of Error Condition Without Action (CWE-390) vulnerability in Envoyproxy Envoy. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 3.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Envoy, the open-source edge and service proxy, contains a denial-of-service vulnerability in its HTTP/2 protocol stack affecting versions 1.29.0 and 1.29.1. The codec fails to reset a request once configured header-map limits are exceeded, allowing an unbounded sequence of CONTINUATION frames that lack the END_HEADERS flag and therefore consume memory without bound. The issue is a regression introduced only in those two releases and is tracked as CWE-390.

An unauthenticated network attacker can open an HTTP/2 connection to an affected Envoy instance and transmit a flood of such frames, driving memory exhaustion on the proxy and resulting in denial of service. The CVSS 7.5 vector reflects network attack reach, low complexity, and no required credentials or user interaction, with the sole impact being high availability loss.

Official guidance directs users to upgrade immediately to Envoy 1.29.2. Where an upgrade is not feasible, the documented workarounds are to downgrade to 1.28.1 or earlier or to disable HTTP/2 on downstream listeners. The fix is recorded in the project’s security advisory GHSA-gghf-vfxp-799r and the associated commit.

The EPSS score has remained at 0.2388 with no material post-disclosure increase.

EU & UK References

Vulnerability details

Envoy is a cloud-native, open-source edge and service proxy. In versions 1.29.0 and 1.29.1, theEnvoy HTTP/2 protocol stack is vulnerable to the flood of CONTINUATION frames. Envoy's HTTP/2 codec does not reset a request when header map limits have been…

more

exceeded. This allows an attacker to send an sequence of CONTINUATION frames without the END_HEADERS bit set causing unlimited memory consumption. This can lead to denial of service through memory exhaustion. Users should upgrade to versions 1.29.2 to mitigate the effects of the CONTINUATION flood. Note that this vulnerability is a regression in Envoy version 1.29.0 and 1.29.1 only. As a workaround, downgrade to version 1.28.1 or earlier or disable HTTP/2 protocol for downstream connections.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

envoyproxy
envoy
1.29.0, 1.29.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-390

Requires explicit action (alert plus additional responses) on audit logging failures rather than detecting the error condition without acting.

addresses: CWE-390

The control mandates response actions to address results from monitoring and assessments, preventing detection of error conditions without subsequent corrective action.

addresses: CWE-390

Procedures require detection of error/incident conditions followed by defined response actions.

addresses: CWE-390

IR testing verifies that detected error conditions trigger appropriate response actions rather than being ignored.

addresses: CWE-390

The containment, eradication, and recovery steps ensure detected incidents trigger concrete actions rather than no response.

addresses: CWE-390

Provides assistance for handling incidents, ensuring detected error conditions lead to appropriate user actions rather than inaction.

addresses: CWE-390

Requires response actions to analysis of monitoring data, directly preventing detection of error conditions without follow-up action.

addresses: CWE-390

Reporting on security performance measures requires confirming that detected error conditions trigger appropriate actions rather than being ignored.

References