CVE-2023-35945

HIGH

Envoy < 1.23.11 - Denial of Service via HTTP/2 RST_STREAM and GOAWAY Frame Handling

Title source: llm

Description

Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy’s HTTP/2 codec may leak a header map and bookkeeping structures upon receiving `RST_STREAM` immediately followed by the `GOAWAY` frames from an upstream server. In nghttp2, cleanup of pending requests due to receipt of the `GOAWAY` frame skips de-allocation of the bookkeeping structure and pending compressed header. The error return [code path] is taken if connection is already marked for not sending more requests due to `GOAWAY` frame. The clean-up code is right after the return statement, causing memory leak. Denial of service through memory exhaustion. This vulnerability was patched in versions(s) 1.26.3, 1.25.8, 1.24.9, 1.23.11.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/envoyproxy/envoy/security/advisories/GHSA-jfxv-29pc-x22r

Product x_refsource_misc

https://github.com/nghttp2/nghttp2/blob/e7f59406556c80904b81b593d38508591bb7523a/lib/nghttp2_session.c#L3346

View Writeup ZIP pw:eip

Scores

CVSS v3 7.5

EPSS 0.0111

EPSS Percentile 61.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-400 CWE-459

Status published

Products (2)

envoyproxy/envoy < 1.23.11

nghttp2/nghttp2 < 1.55.1

Published Jul 13, 2023

Tracked Since Feb 18, 2026