VYPR
← All advisories
High severityNVD Advisory· Published Aug 13, 2019· Updated Aug 5, 2024

CVE-2019-14993

CVE-2019-14993

Description

Istio before 1.1.13 and 1.2.x before 1.2.4 mishandles regular expressions for long URIs, leading to a denial of service during use of the JWT, VirtualService, HTTPAPISpecBinding, or QuotaSpecBinding API.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Istio before 1.1.13/1.2.4 mishandles regex for long URIs in JWT, VirtualService, HTTPAPISpecBinding, QuotaSpecBinding APIs, enabling denial of service.

Vulnerability

Description

The vulnerability lies in Istio's regular expression (regex) handling for long URIs. Envoy's regex matching crashes when processing very large URIs, and this issue is exposed through Istio APIs that accept regex patterns: JWT, VirtualService, HTTPAPISpecBinding, and QuotaSpecBinding [1][2]. The root cause is an overflow bug in Envoy's regex parser when handling excessively long input [3].

Exploitation

Prerequisites

An attacker can exploit this remotely without authentication by sending a crafted request with a long URI matching a configured regex pattern. The attack requires that the Istio environment has regex rules defined in the mentioned APIs [2]. No special network position is needed (CVSS AV:N/AC:L/PR:N/UI:N) [1].

Impact

Successful exploitation causes Envoy to crash, resulting in a denial of service for the Istio service mesh. This affects all services relying on the affected Istio APIs, potentially disrupting traffic management and security policies [1][2].

Mitigation

Istio has released fixes in versions 1.1.13 and 1.2.4 [2]. Users should upgrade their Istio control plane as soon as possible. As a workaround, replacing regex matchers with prefix-based matchers avoids the issue [3]. Administrators can use the provided script to detect regex usage in their cluster [2].

References
  1. NVD - CVE-2019-14993
  2. ISTIO-SECURITY-2019-003
  3. route regex match fails for large URIs

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
istio.io/istioGo
< 1.1.131.1.13
istio.io/istioGo
>= 1.2.0, < 1.2.41.2.4

Affected products

55

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

7

News mentions

0

No linked articles in our index yet.