CVE-2023-27493

HIGH

Envoy < 1.22.9 - HTTP Request Smuggling

Title source: rule

Description

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, Envoy does not sanitize or escape request properties when generating request headers. This can lead to characters that are illegal in header values to be sent to the upstream service. In the worst case, it can cause upstream service to interpret the original request as two pipelined requests, possibly bypassing the intent of Envoy’s security policy. Versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9 contain a patch. As a workaround, disable adding request headers based on the downstream request properties, such as downstream certificate properties.

References (1)

[Exploit, Vendor Advisory] https://github.com/envoyproxy/envoy/security/advisories/GHSA-w5w5-487h-qv8q

Scores

CVSS v3 8.1

EPSS 0.0001

EPSS Percentile 1.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-444 CWE-20

Status published

Products (1)

envoyproxy/envoy < 1.22.9

Published Apr 04, 2023

Tracked Since Feb 18, 2026