CVE-2024-27919 Overview
CVE-2024-27919 is a denial of service vulnerability in Envoy, the cloud-native, open-source edge and service proxy. The vulnerability affects Envoy's HTTP/2 protocol stack, specifically in how it handles CONTINUATION frames. In affected versions, Envoy's HTTP/2 codec fails to properly reset a request when header map limits have been exceeded, allowing attackers to send a sequence of CONTINUATION frames without the END_HEADERS bit set. This causes unlimited memory consumption, leading to denial of service through memory exhaustion.
Critical Impact
Remote attackers can exhaust server memory and cause complete denial of service by sending malicious HTTP/2 CONTINUATION frame sequences to vulnerable Envoy proxy instances.
Affected Products
- Envoyproxy Envoy version 1.29.0
- Envoyproxy Envoy version 1.29.1
Discovery Timeline
- 2024-04-04 - CVE-2024-27919 published to NVD
- 2025-11-04 - Last updated in NVD database
Technical Details for CVE-2024-27919
Vulnerability Analysis
This vulnerability represents a regression introduced specifically in Envoy versions 1.29.0 and 1.29.1. The flaw resides in Envoy's HTTP/2 codec implementation, which is responsible for processing HTTP/2 protocol frames including CONTINUATION frames. When an HTTP/2 client sends header data that exceeds configured header map limits, the codec should terminate and reset the offending request. However, in vulnerable versions, this reset mechanism fails to trigger properly when processing CONTINUATION frames.
HTTP/2 CONTINUATION frames are used to continue header block fragments that do not fit within a single HEADERS frame. The protocol specifies that CONTINUATION frames may be sent in sequence until a frame with the END_HEADERS flag is received. The vulnerability allows an attacker to exploit this by sending an unbounded sequence of CONTINUATION frames without ever setting the END_HEADERS bit, bypassing the header size limits that should protect against resource exhaustion.
Root Cause
The root cause is classified as CWE-390 (Detection of Error Condition Without Action). When the HTTP/2 codec detects that header map limits have been exceeded, it fails to take the appropriate action of resetting the request stream. This missing error handling allows the processing to continue accumulating header data in memory indefinitely.
The fix implemented in commit 57a02565532c18eb9df972a3e8974be3ae59f2d5 addresses this by ensuring that requests are properly reset when header limits are exceeded during CONTINUATION frame processing.
Attack Vector
The attack is network-based and requires no authentication or user interaction, making it highly accessible to remote attackers. An attacker can exploit this vulnerability by establishing an HTTP/2 connection to a vulnerable Envoy proxy and sending a crafted sequence of CONTINUATION frames designed to exhaust server memory.
The attack flow involves:
- Establishing an HTTP/2 connection to the target Envoy proxy
- Initiating a stream with a HEADERS frame
- Continuously sending CONTINUATION frames without the END_HEADERS flag
- The server accumulates header data in memory without bounds until memory exhaustion occurs
This is part of a broader class of HTTP/2 CONTINUATION flood attacks that affected multiple HTTP/2 implementations. See the CERT Vulnerability Information for additional context on this vulnerability class.
Detection Methods for CVE-2024-27919
Indicators of Compromise
- Unusual memory consumption spikes on Envoy proxy instances
- HTTP/2 connections with abnormally large numbers of CONTINUATION frames
- Envoy process crashes or restarts due to out-of-memory conditions
- Degraded proxy performance or unresponsive services behind Envoy
Detection Strategies
- Monitor Envoy memory usage metrics for sudden, sustained increases
- Implement HTTP/2 frame-level logging to detect high volumes of CONTINUATION frames per connection
- Set up alerts for Envoy process OOM (Out of Memory) kills or restarts
- Deploy network-level monitoring to detect anomalous HTTP/2 traffic patterns
Monitoring Recommendations
- Configure Envoy's built-in statistics and monitoring endpoints to track memory allocation
- Implement connection-level rate limiting for HTTP/2 frames
- Enable detailed access logging for HTTP/2 connections to identify potential attack sources
- Use infrastructure monitoring to correlate Envoy memory usage with incoming connection patterns
How to Mitigate CVE-2024-27919
Immediate Actions Required
- Upgrade Envoy to version 1.29.2 or later immediately
- If immediate upgrade is not possible, downgrade to version 1.28.1 or earlier
- Consider disabling HTTP/2 protocol for downstream connections as a temporary measure
- Review and harden HTTP/2 connection limits and timeouts
Patch Information
The vulnerability has been addressed in Envoy version 1.29.2. The fix is available in commit 57a02565532c18eb9df972a3e8974be3ae59f2d5. Users should upgrade to the patched version as soon as possible. For detailed information about the fix, refer to the GitHub Envoy Security Advisory and the GitHub Envoy Commit Changes.
Workarounds
- Downgrade to Envoy version 1.28.1 or earlier, which is not affected by this regression
- Disable HTTP/2 protocol for downstream connections by modifying Envoy's listener configuration
- Implement upstream load balancers or WAF rules to limit HTTP/2 CONTINUATION frame rates
- Deploy memory limits and automatic restarts for Envoy containers to minimize impact of exploitation attempts
# Example: Disable HTTP/2 for downstream connections in Envoy listener config
# In your Envoy YAML configuration, modify the listener to use HTTP/1.1 only:
# static_resources:
# listeners:
# - name: listener_0
# filter_chains:
# - filters:
# - name: envoy.filters.network.http_connection_manager
# typed_config:
# "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
# codec_type: HTTP1 # Force HTTP/1.1 only, disabling HTTP/2
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
