Description
Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, a logic vulnerability in Envoy's HTTP connection manager (FilterManager) that allows for Zombie Stream Filter Execution. This issue creates a "Use-After-Free" (UAF) or state-corruption window where filter callbacks are invoked on an HTTP stream that has already been logically reset and cleaned up. The vulnerability resides in source/common/http/filter_manager.cc within the FilterManager::decodeData method. The ActiveStream object remains valid in memory during the deferred deletion window. If a DATA frame arrives on this stream immediately after the reset (e.g., in the same packet processing cycle), the HTTP/2 codec invokes ActiveStream::decodeData, which cascades to FilterManager::decodeData. FilterManager::decodeData fails to check the saw_downstream_reset_ flag. It iterates over the decoder_filters_ list and invokes decodeData() on filters that have already received onDestroy(). This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.
Remediation
References
Related Vulnerabilities
Rukovoditel Cleartext Storage of Sensitive Information Vulnerability (CVE-2020-11821)
WordPress Plugin CopySafe Web Protection Cross-Site Request Forgery (2.5)
Apache HTTP Server Improper Input Validation Vulnerability (CVE-2011-4415)
Liferay Portal Authorization Bypass Through User-Controlled Key Vulnerability (CVE-2025-43790)
WordPress Plugin Simple Slide Show TimThumb Arbitrary File Upload (1.0)