CVE-2023-35945 in Envoy
Summary
by MITRE • 07/14/2023
Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy’s HTTP/2 codec may leak a header map and bookkeeping structures upon receiving `RST_STREAM` immediately followed by the `GOAWAY` frames from an upstream server. In nghttp2, cleanup of pending requests due to receipt of the `GOAWAY` frame skips de-allocation of the bookkeeping structure and pending compressed header. The error return [code path] is taken if connection is already marked for not sending more requests due to `GOAWAY` frame. The clean-up code is right after the return statement, causing memory leak. Denial of service through memory exhaustion. This vulnerability was patched in versions(s) 1.26.3, 1.25.8, 1.24.9, 1.23.11.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/21/2025
The vulnerability identified as CVE-2023-35945 affects Envoy, a widely-used cloud-native high-performance edge/middle/service proxy that serves as a critical component in modern microservices architectures and service mesh implementations. This security flaw resides within Envoy's HTTP/2 codec implementation, specifically in how it handles connection teardown sequences involving RST_STREAM and GOAWAY frames from upstream servers. The issue manifests when an upstream server sends these frames in rapid succession, creating a specific temporal window where memory management fails. The vulnerability represents a classic memory leak scenario that can be exploited to cause denial of service through memory exhaustion, impacting the stability and availability of proxy services that rely on Envoy's HTTP/2 handling capabilities.
The technical root cause of this vulnerability stems from improper cleanup procedures within the nghttp2 library integration used by Envoy. When a GOAWAY frame is received, the library's pending request cleanup mechanism skips the de-allocation of critical bookkeeping structures and compressed header data. This occurs because the error return code path is executed when the connection is already marked as not accepting new requests due to the GOAWAY frame, but the cleanup code that follows this return statement never executes. The sequence of operations creates a scenario where memory allocated for header maps and associated bookkeeping structures remains allocated even though the requests are no longer valid. This type of memory management error falls under CWE-401, specifically related to improper deallocation of memory, and represents a clear violation of proper resource management practices in network protocol implementations. The flaw demonstrates how complex protocol handling can create edge cases where cleanup logic fails to execute due to early return conditions.
The operational impact of this vulnerability extends beyond simple memory consumption issues, as it creates a potential vector for sustained denial of service attacks against Envoy proxy instances. Attackers can repeatedly trigger the vulnerable sequence by sending RST_STREAM followed by GOAWAY frames to cause progressive memory leaks in the proxy process. This affects both the immediate availability of services and the long-term stability of proxy infrastructure, particularly in high-throughput environments where multiple connections are maintained simultaneously. The vulnerability is particularly concerning in service mesh deployments where Envoy instances act as critical intermediaries between services, as memory exhaustion could cascade through the entire system architecture. From an adversarial perspective, this vulnerability aligns with ATT&CK technique T1499.004, which involves network denial of service attacks, and represents a sophisticated approach to resource exhaustion that targets specific implementation details rather than general protocol flaws.
Organizations utilizing Envoy should prioritize immediate patching of affected versions, with the vulnerability being resolved in releases 1.26.3, 1.25.8, 1.24.9, and 1.23.11. The fix addresses the core memory management issue by ensuring proper cleanup code execution regardless of early return conditions, thereby preventing the leakage of header maps and bookkeeping structures. System administrators should also implement monitoring for memory usage patterns in Envoy instances, particularly in environments where upstream servers might be misconfigured or maliciously crafted to trigger this condition. The vulnerability highlights the importance of thorough testing of edge cases in protocol implementations and demonstrates why proper resource management is critical in high-performance network services. Organizations should also consider implementing connection-level rate limiting and monitoring for unusual patterns of RST_STREAM and GOAWAY frame sequences as additional defensive measures against exploitation of this class of vulnerabilities.