CVE-2024-53269: Envoyproxy Envoy DOS Vulnerability

CVE-2024-53269 Overview

CVE-2024-53269 affects Envoy, a cloud-native high-performance edge, middle, and service proxy widely deployed in service mesh and API gateway architectures. The vulnerability resides in the Happy Eyeballs sorting algorithm used to prioritize connection attempts across multiple addresses. When additional addresses supplied to the algorithm are not IP addresses, the data plane crashes. Remote attackers can trigger the condition without authentication, causing denial of service to proxied traffic. The issue is fixed in Envoy releases 1.32.2, 1.31.4, and 1.30.8.

Critical Impact

Unauthenticated network-based denial of service against Envoy data plane processes, disrupting all traffic flowing through affected proxies.

Affected Products

• Envoy proxy versions prior to 1.30.8
• Envoy proxy versions prior to 1.31.4
• Envoy proxy versions prior to 1.32.2

Discovery Timeline

• 2024-12-18 - CVE-2024-53269 published to NVD
• 2025-08-28 - Last updated in NVD database

Technical Details for CVE-2024-53269

Vulnerability Analysis

The flaw is categorized under [CWE-670] (Always-Incorrect Control Flow Implementation). Envoy implements the Happy Eyeballs algorithm (RFC 8305) to interleave IPv4 and IPv6 connection attempts for faster, more reliable client connectivity. The sorting routine assumes every entry in the address list is a parsed IP address. When the additional address list contains non-IP entries, the sorting comparator triggers an unhandled condition that crashes the Envoy data plane process.

A crash of the data plane terminates active connections and halts new traffic until the process restarts. In production deployments fronting microservices, this affects every client request routed through the impacted proxy instance.

Root Cause

The root cause is missing input validation in the Happy Eyeballs address-sorting logic. The algorithm operates on the assumption that all additional addresses are valid IP address structures. The code path lacks a type check before invoking comparison operations on the address objects, leading to an unrecoverable error when non-IP values are encountered.

Attack Vector

The vulnerability is exploitable over the network with low attack complexity and no privileges or user interaction. An attacker who can influence the address resolution path, such as through a controlled DNS response or upstream configuration that returns non-IP additional addresses, can force the data plane to crash. Repeated triggering produces a sustained denial of service. The advisory provides patch details in the Envoy GitHub Security Advisory GHSA-mfqp-7mmj-rm53.

Detection Methods for CVE-2024-53269

Indicators of Compromise

• Unexpected Envoy process restarts or core dumps tied to the Happy Eyeballs code path.
• Crash logs referencing address sorting or connection attempt prioritization in the data plane.
• Spikes in upstream connection failures correlated with non-IP address values in resolver responses.

Detection Strategies

• Monitor Envoy server.live and server.uptime admin statistics for abnormal resets indicating process restarts.
• Inspect DNS resolver responses feeding Envoy for non-IP additional address entries.
• Correlate proxy crash events with traffic patterns to identify reproducible triggers.

Monitoring Recommendations

• Alert on Envoy version strings reporting builds older than 1.30.8, 1.31.4, or 1.32.2 across the fleet.
• Track cluster.*.upstream_cx_connect_fail and process restart counts in observability pipelines.
• Log and review all DNS responses used by Envoy clusters configured with Happy Eyeballs.

How to Mitigate CVE-2024-53269

Immediate Actions Required

• Upgrade Envoy to 1.32.2, 1.31.4, or 1.30.8 or later across all data plane instances.
• Inventory all service mesh and gateway deployments using Envoy, including Istio, Consul, and standalone proxies.
• Validate that DNS resolvers and discovery services return only IP addresses to Envoy clusters.

Patch Information

The upstream fix is available in the Envoy pull request 37743 commit. Patched releases are Envoy 1.32.2, 1.31.4, and 1.30.8. Downstream distributions including Istio and managed service mesh offerings should be updated to versions that incorporate these Envoy builds.

Workarounds

• Disable the Happy Eyeballs feature in Envoy cluster configuration where upgrade is not immediately feasible.
• Restrict cluster IP address configurations to validated IP-only entries, avoiding hostnames in additional address lists.
• Apply network policies to limit which upstream resolvers Envoy can query, reducing exposure to attacker-controlled responses.

# Configuration example: disable Happy Eyeballs by setting a single address family
# In Envoy cluster config, set dns_lookup_family to V4_ONLY or V6_ONLY
clusters:
  - name: upstream_service
    type: STRICT_DNS
    dns_lookup_family: V4_ONLY
    load_assignment:
      cluster_name: upstream_service
      endpoints:
        - lb_endpoints:
            - endpoint:
                address:
                  socket_address:
                    address: 10.0.0.10
                    port_value: 8080