Description
A memory exhaustion vulnerability in Envoy's HTTP/2 cookie coalescing path allows a remote unauthenticated attacker to cause denial of service via crafted HPACK requests. By seeding the dynamic table with a large cookie header and replaying it with one-byte indexed references, an attacker bypasses the default max_headers_count limit — Envoy appends repeated cookie values into a per-stream buffer rather than counting them against header limits. Combined with flow-control stalling via INITIAL_WINDOW_SIZE=0, allocated memory is held open indefinitely. Fixed in Envoy 1.35.11, 1.36.7, 1.37.3, and 1.38.1.
Remediation
References
Related Vulnerabilities
WordPress Plugin Exquisite PayPal Donation Cross-Site Scripting (2.0.0)
ownCloud Permissions, Privileges, and Access Controls Vulnerability (CVE-2012-4752)
WordPress Plugin EWWW Image Optimizer Cross-Site Scripting (2.0.1)
Artifactory Unrestricted Upload of File with Dangerous Type Vulnerability (CVE-2016-10036)