Envoy CVE-2025-4774: HTTP/2 Cookie Bypass & HPACK Amplification DoS via Memory Exhaustion

Vulnerability Overview HTTP/2 Memory Exhaustion via Cookie Header Size Bypass and HPACK Amplification Description: A vulnerability exists in Envoy’s HTTP/2 downstream request processing that allows unauthenticated remote clients to trigger excessive memory consumption, potentially causing the Envoy process to terminate due to Out-Of-Memory (OOM) errors and resulting in a denial of service. Root Causes: 1. Cookie header bytes were not fully accounted for during Envoy’s request header size validation. 2. The encoded header limit enforced in was ineffective for fully decoded header sizes due to the absence of a corresponding total size limit. Impact Scope Affected Components: - Envoy HTTP/2 downstream request processing - Cookie header size calculation during request header validation - HPACK header block size enforcement in Impact: - An unauthenticated remote attacker can cause a denial of service by exhausting memory within the Envoy process. - During testing, with a 3 GB memory limit and a small number of connections and streams, the Envoy edge process was killed by OOM. - The attack remains effective with fewer connections and streams, indicating that exploitation can be efficient even under stricter resource constraints for the attacker. - Over-decoded cookies forwarded to the upstream may exceed the upstream service’s header limits, resulting in HTTP/2 connection resets and temporary request failures at the upstream. Remediation Patch: - A complete fix requires addressing both contributing issues: 1. Account for buffered cookie bytes in the request header size before request acceptance. 2. Enforce limits on both the encoded HPACK block size and the decoded header size. - Fixing only one of these issues may reduce exploitability but does not fully resolve the root cause. Temporary Mitigations: - Disable downstream HTTP/2 where operationally feasible. - Enforce stricter request header and cookie header limits before traffic reaches Envoy. - Monitor Envoy memory usage to detect anomalous growth under HTTP/2 traffic. Detection: - Potential indicators of exploitation include: - Rapid or sustained anomalous memory growth in the Envoy process. - OOM terminations, including exit code 137 in containerized environments. - Anomalous HTTP/2 traffic patterns involving repeated indexed cookie references. Key Information CVE ID: CVE-2025-4774 CVSS v3 Base Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Confidentiality: None - Integrity: None - Availability: High Credits: - Reporter: Snow-Peijia - Coordinators: pflax, botengyao - Analyst: yurakosov Summary This vulnerability allows an unauthenticated remote client to trigger memory exhaustion in the Envoy process by bypassing cookie header size limits and leveraging HPACK amplification, leading to denial of service. The fix involves accounting for buffered cookie bytes before request acceptance and enforcing limits on decoded header sizes. Temporary mitigations include disabling downstream HTTP/2, enforcing stricter header limits, and monitoring memory usage.

Goal Reached Thanks to every supporter — we hit 100%!

Envoy CVE-2025-4774: HTTP/2 Cookie Bypass & HPACK Amplification DoS via Memory Exhaustion

More from this source