CVE-2024-30255
Published: 04 April 2024
Summary
CVE-2024-30255 is a medium-severity Detection of Error Condition Without Action (CWE-390) vulnerability in Envoyproxy Envoy. Its CVSS base score is 5.3 (Medium).
Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Envoy is a cloud-native open source edge and service proxy whose HTTP/2 protocol stack is affected by CVE-2024-30255. Versions prior to 1.29.3, 1.28.2, 1.27.4, and 1.26.8 contain a flaw in the HTTP/2 codec that permits a client to transmit an unlimited number of CONTINUATION frames after Envoy's header map limits have already been exceeded. This behavior stems from incomplete enforcement of frame sequencing rules defined in CWE-390 and enables sustained CPU consumption at roughly one core per 300 Mbit/s of malicious traffic.
An unauthenticated network attacker can exploit the issue by sending a stream of CONTINUATION frames that lack the END_HEADERS flag. The resulting flood drives CPU utilization to exhaustion, producing a denial-of-service condition against the proxy without requiring any special privileges or user interaction. The CVSS 5.3 rating reflects the network attack vector, low complexity, and availability impact.
Official advisories recommend immediate upgrade to one of the patched releases. As a temporary workaround, operators can disable HTTP/2 support on downstream listener configurations. The associated EPSS score stands at 0.8881 with no indicated rise from a lower baseline.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-28182
Vulnerability details
Envoy is a cloud-native, open source edge and service proxy. The HTTP/2 protocol stack in Envoy versions prior to 1.29.3, 1.28.2, 1.27.4, and 1.26.8 are vulnerable to CPU exhaustion due to flood of CONTINUATION frames. Envoy's HTTP/2 codec allows the…
more
client to send an unlimited number of CONTINUATION frames even after exceeding Envoy's header map limits. This allows an attacker to send a sequence of CONTINUATION frames without the END_HEADERS bit set causing CPU utilization, consuming approximately 1 core per 300Mbit/s of traffic and culminating in denial of service through CPU exhaustion. Users should upgrade to version 1.29.3, 1.28.2, 1.27.4, or 1.26.8 to mitigate the effects of the CONTINUATION flood. As a workaround, disable HTTP/2 protocol for downstream connections.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requires explicit action (alert plus additional responses) on audit logging failures rather than detecting the error condition without acting.
The control mandates response actions to address results from monitoring and assessments, preventing detection of error conditions without subsequent corrective action.
Procedures require detection of error/incident conditions followed by defined response actions.
IR testing verifies that detected error conditions trigger appropriate response actions rather than being ignored.
The containment, eradication, and recovery steps ensure detected incidents trigger concrete actions rather than no response.
Provides assistance for handling incidents, ensuring detected error conditions lead to appropriate user actions rather than inaction.
Requires response actions to analysis of monitoring data, directly preventing detection of error conditions without follow-up action.
Reporting on security performance measures requires confirming that detected error conditions trigger appropriate actions rather than being ignored.