CVE-2024-30255 Overview
CVE-2024-30255 is a CPU exhaustion vulnerability affecting Envoy, a cloud-native, open source edge and service proxy. The HTTP/2 protocol stack in vulnerable Envoy versions contains a flaw in how it processes CONTINUATION frames, allowing attackers to trigger denial of service conditions through resource exhaustion.
The vulnerability exists because Envoy's HTTP/2 codec permits clients to send an unlimited number of CONTINUATION frames even after exceeding Envoy's header map limits. By sending a sequence of CONTINUATION frames without the END_HEADERS bit set, an attacker can cause significant CPU utilization—approximately 1 core per 300Mbit/s of traffic—ultimately resulting in denial of service through CPU exhaustion.
Critical Impact
Remote attackers can exhaust CPU resources on Envoy proxy servers without authentication, causing complete denial of service for downstream applications and services relying on the proxy.
Affected Products
- Envoy versions prior to 1.29.3
- Envoy versions prior to 1.28.2
- Envoy versions prior to 1.27.4
- Envoy versions prior to 1.26.8
Discovery Timeline
- 2024-04-04 - CVE-2024-30255 published to NVD
- 2025-11-04 - Last updated in NVD database
Technical Details for CVE-2024-30255
Vulnerability Analysis
This vulnerability represents a classic resource exhaustion attack vector targeting the HTTP/2 protocol implementation. The HTTP/2 specification uses CONTINUATION frames to allow header blocks that exceed the maximum frame size to be transmitted in multiple frames. These frames must eventually be terminated with an END_HEADERS flag.
Envoy's HTTP/2 codec implementation fails to properly limit the number of CONTINUATION frames a client can send. While Envoy does enforce header map size limits, it continues accepting and processing CONTINUATION frames even after these limits are exceeded. This creates an asymmetric attack scenario where a relatively small amount of attacker bandwidth can consume disproportionate server CPU resources.
The attack efficiency is notable: consuming approximately 1 CPU core per 300Mbit/s of malicious traffic makes this attack viable even for attackers with moderate network resources. This vulnerability affects organizations using Envoy as a reverse proxy, service mesh sidecar, or API gateway, potentially disrupting entire microservice architectures.
Root Cause
The root cause is classified under CWE-390 (Detection of Error Condition Without Action). Envoy's HTTP/2 codec detects when header map limits are exceeded but fails to take appropriate action to terminate the connection or reject additional CONTINUATION frames. Instead, the codec continues processing incoming frames, consuming CPU cycles on each frame received. This implementation oversight allows the attack to proceed unchecked until system resources are exhausted.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker establishes an HTTP/2 connection to a vulnerable Envoy proxy and initiates a HEADERS frame. Instead of completing the header block normally, the attacker sends a continuous stream of CONTINUATION frames without setting the END_HEADERS bit.
Each CONTINUATION frame forces the server to process and attempt to decode header data, even when limits are exceeded. The attacker can sustain this attack from a single connection, making it difficult to distinguish from legitimate traffic without proper detection mechanisms.
The attack is particularly effective because HTTP/2 connections are typically long-lived and multiplexed, meaning a single malicious connection can coexist with legitimate traffic while consuming server resources. A proof-of-concept exploit is publicly available, demonstrating the practical exploitability of this vulnerability.
Detection Methods for CVE-2024-30255
Indicators of Compromise
- Abnormally high CPU utilization on Envoy proxy instances without corresponding increase in legitimate traffic
- HTTP/2 connections with excessive CONTINUATION frame counts in network traffic analysis
- Increased connection durations for HTTP/2 sessions without proportional request completion
- Envoy error logs showing header map limit exceeded warnings followed by continued frame processing
Detection Strategies
- Monitor Envoy's built-in statistics for http2.header_overflow and http2.rx.continuation metrics showing abnormal ratios
- Implement network-level detection rules to identify HTTP/2 streams with excessive CONTINUATION frames lacking END_HEADERS
- Deploy application performance monitoring to correlate CPU spikes with HTTP/2 connection patterns
- Use SentinelOne's Singularity platform for real-time process behavior analysis to detect CPU exhaustion attack patterns
Monitoring Recommendations
- Configure alerting thresholds on Envoy proxy CPU utilization exceeding baseline by significant margins
- Enable detailed HTTP/2 frame logging during incident investigation to identify attack sources
- Implement connection rate limiting at the network edge to reduce attack amplification potential
- Establish baseline metrics for CONTINUATION frame ratios in normal traffic for anomaly detection
How to Mitigate CVE-2024-30255
Immediate Actions Required
- Upgrade Envoy to patched versions: 1.29.3, 1.28.2, 1.27.4, or 1.26.8 depending on your release branch
- If immediate patching is not possible, disable HTTP/2 protocol for downstream connections as a temporary workaround
- Review and enable rate limiting configurations on Envoy listeners to reduce attack surface
- Monitor Envoy instances for signs of CPU exhaustion attacks during the upgrade window
Patch Information
Envoy has released security patches addressing this vulnerability across all supported release branches. Users should upgrade to the following versions based on their current deployment:
| Current Branch | Patched Version |
|---|---|
| 1.29.x | 1.29.3 |
| 1.28.x | 1.28.2 |
| 1.27.x | 1.27.4 |
| 1.26.x | 1.26.8 |
Full details are available in the GitHub Security Advisory GHSA-j654-3ccm-vfmm.
Workarounds
- Disable HTTP/2 support for downstream connections by configuring listeners to accept only HTTP/1.1
- Implement connection limits and rate limiting at load balancers in front of Envoy instances
- Deploy web application firewalls capable of inspecting HTTP/2 frame sequences for anomalous patterns
- Consider temporarily routing traffic through HTTP/1.1-only paths for critical services until patching is complete
# Envoy listener configuration to disable HTTP/2 (workaround)
# Apply to downstream_protocol_config in listener configuration
listeners:
- name: listener_0
address:
socket_address:
address: 0.0.0.0
port_value: 8080
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
codec_type: HTTP1
# Forces HTTP/1.1 only, disabling vulnerable HTTP/2 stack
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
