CVE-2024-23324: Envoyproxy Envoy Auth Bypass Vulnerability

CVE-2024-23324 Overview

CVE-2024-23324 is an external authorization bypass vulnerability in Envoy, a high-performance edge, middle, and service proxy widely deployed in service mesh and API gateway architectures. Downstream clients can craft invalid gRPC requests that are forwarded to the ext_authz filter, causing authorization checks to be skipped when the filter is configured with failure_mode_allow set to true. The flaw is categorized as improper input validation [CWE-20] and allows unauthenticated network attackers to bypass policy enforcement. The Envoy project addressed the issue in releases 1.29.1, 1.28.1, 1.27.3, and 1.26.7.

Critical Impact

Attackers can bypass ext_authz authorization checks by sending malformed gRPC traffic, reaching protected upstream services without policy enforcement.

Affected Products

• Envoy versions prior to 1.26.7
• Envoy versions 1.27.0 through 1.27.2
• Envoy versions 1.28.0 and 1.29.0

Discovery Timeline

• 2024-02-09 - CVE-2024-23324 published to NVD
• 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2024-23324

Vulnerability Analysis

Envoy's external authorization (ext_authz) filter delegates access control decisions to an external service over HTTP or gRPC. Operators commonly set failure_mode_allow: true to keep traffic flowing when the authorization service is unreachable. This vulnerability changes the meaning of that fail-open behavior. A downstream client can intentionally send a gRPC request structured in a way that Envoy considers invalid before reaching the authorization service. Envoy then treats the situation as an authorization failure path and, under failure_mode_allow, forwards the request to the upstream without ever consulting the policy engine. The result is an authentication and authorization control bypass that violates the integrity of access decisions.

Root Cause

The root cause is improper input validation in how Envoy constructs and dispatches gRPC check requests to the ext_authz service. Malformed downstream input causes the filter to short-circuit into the failure path rather than rejecting the request outright. When failure_mode_allow is enabled, that path permits the request, conflating client-induced invalid input with authorization-service unavailability.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker sends specifically crafted requests through any Envoy listener configured with the ext_authz filter using gRPC and failure_mode_allow: true. Because the bypass occurs before the authorization service evaluates the request, attribute-based, JWT, or OPA-style policies attached to that service are not applied. See the Envoy GitHub Security Advisory GHSA-gq3v-vvhj-96j6 for technical details on the invalid request shape.

No public proof-of-concept exploitation code is referenced in the advisory, and no synthetic exploitation code is reproduced here.

Detection Methods for CVE-2024-23324

Indicators of Compromise

• Upstream access logs showing requests reaching protected services without a corresponding ext_authz decision log entry.
• Spikes in Envoy stats counters such as ext_authz.error or ext_authz.failure_mode_allowed without a matching outage of the authorization backend.
• Malformed gRPC frames or unusual header combinations on downstream listeners that precede successful upstream responses.

Detection Strategies

• Correlate Envoy access logs with authorization service logs to identify requests that were forwarded upstream without a policy decision recorded.
• Alert on any nonzero rate of ext_authz.failure_mode_allowed events, treating fail-open as an investigable signal rather than a silent default.
• Inspect ingress traffic for gRPC requests that violate protocol expectations, including invalid message framing or unexpected content-type values.

Monitoring Recommendations

• Ship Envoy admin stats and access logs to a centralized analytics platform and build dashboards for ext_authz outcome distribution over time.
• Add synthetic probes that send known-good and known-bad authorized traffic to validate that policy decisions are still being enforced after upgrades or configuration changes.
• Track Envoy version inventory across clusters and flag any node running a release earlier than 1.26.7, 1.27.3, 1.28.1, or 1.29.1.

How to Mitigate CVE-2024-23324

Immediate Actions Required

• Upgrade Envoy to 1.29.1, 1.28.1, 1.27.3, or 1.26.7 depending on the deployed minor version.
• Audit all ext_authz filter configurations and identify every instance where failure_mode_allow is set to true.
• Where business risk allows, set failure_mode_allow to false until patched binaries are deployed, accepting that authorization service outages will fail closed.

Patch Information

The fix is delivered in Envoy releases 1.29.1, 1.28.1, 1.27.3, and 1.26.7. Service mesh distributions that embed Envoy, including Istio and Gloo, should be updated to versions that incorporate these Envoy releases. Refer to the Envoy upstream commit and the GHSA-gq3v-vvhj-96j6 advisory for release notes and code-level details.

Workarounds

• The Envoy maintainers state there are no known workarounds for this vulnerability; upgrading is required.
• As a compensating control until patching, switch ext_authz to fail closed by setting failure_mode_allow: false so invalid requests are denied rather than forwarded.

# Compensating configuration: fail closed in the ext_authz filter
# (Envoy listener filter chain snippet)
http_filters:
  - name: envoy.filters.http.ext_authz
    typed_config:
      "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
      transport_api_version: V3
      failure_mode_allow: false
      grpc_service:
        envoy_grpc:
          cluster_name: ext-authz
        timeout: 0.5s