Cyber Resilience

CVE-2024-30255

Medium

Published: 04 April 2024

Published
04 April 2024
Modified
04 November 2025
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Score 0.8881 99.5th percentile
Risk Priority 64 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-30255 is a medium-severity Detection of Error Condition Without Action (CWE-390) vulnerability in Envoyproxy Envoy. Its CVSS base score is 5.3 (Medium).

Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Envoy is a cloud-native open source edge and service proxy whose HTTP/2 protocol stack is affected by CVE-2024-30255. Versions prior to 1.29.3, 1.28.2, 1.27.4, and 1.26.8 contain a flaw in the HTTP/2 codec that permits a client to transmit an unlimited number of CONTINUATION frames after Envoy's header map limits have already been exceeded. This behavior stems from incomplete enforcement of frame sequencing rules defined in CWE-390 and enables sustained CPU consumption at roughly one core per 300 Mbit/s of malicious traffic.

An unauthenticated network attacker can exploit the issue by sending a stream of CONTINUATION frames that lack the END_HEADERS flag. The resulting flood drives CPU utilization to exhaustion, producing a denial-of-service condition against the proxy without requiring any special privileges or user interaction. The CVSS 5.3 rating reflects the network attack vector, low complexity, and availability impact.

Official advisories recommend immediate upgrade to one of the patched releases. As a temporary workaround, operators can disable HTTP/2 support on downstream listener configurations. The associated EPSS score stands at 0.8881 with no indicated rise from a lower baseline.

EU & UK References

Vulnerability details

Envoy is a cloud-native, open source edge and service proxy. The HTTP/2 protocol stack in Envoy versions prior to 1.29.3, 1.28.2, 1.27.4, and 1.26.8 are vulnerable to CPU exhaustion due to flood of CONTINUATION frames. Envoy's HTTP/2 codec allows the…

more

client to send an unlimited number of CONTINUATION frames even after exceeding Envoy's header map limits. This allows an attacker to send a sequence of CONTINUATION frames without the END_HEADERS bit set causing CPU utilization, consuming approximately 1 core per 300Mbit/s of traffic and culminating in denial of service through CPU exhaustion. Users should upgrade to version 1.29.3, 1.28.2, 1.27.4, or 1.26.8 to mitigate the effects of the CONTINUATION flood. As a workaround, disable HTTP/2 protocol for downstream connections.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

envoyproxy
envoy
≤ 1.26.8 · 1.27.0 — 1.27.4 · 1.28.0 — 1.28.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-390

Requires explicit action (alert plus additional responses) on audit logging failures rather than detecting the error condition without acting.

addresses: CWE-390

The control mandates response actions to address results from monitoring and assessments, preventing detection of error conditions without subsequent corrective action.

addresses: CWE-390

Procedures require detection of error/incident conditions followed by defined response actions.

addresses: CWE-390

IR testing verifies that detected error conditions trigger appropriate response actions rather than being ignored.

addresses: CWE-390

The containment, eradication, and recovery steps ensure detected incidents trigger concrete actions rather than no response.

addresses: CWE-390

Provides assistance for handling incidents, ensuring detected error conditions lead to appropriate user actions rather than inaction.

addresses: CWE-390

Requires response actions to analysis of monitoring data, directly preventing detection of error conditions without follow-up action.

addresses: CWE-390

Reporting on security performance measures requires confirming that detected error conditions trigger appropriate actions rather than being ignored.

References