CVE-2020-25018

Vulnerability

Envoy master versions between commit 2d69e30 and 3b5acb2 (inclusive) contain a vulnerability in the URL parser. When a request URL includes an Internationalized Domain Name (IDN) as the host component, the parser attempts to perform Punycode encoding (converting Unicode to ASCII). However, the conversion data is not available, causing the conversion to fail and leading to a segmentation fault (crash). [1]

Exploitation

An attacker can trigger this vulnerability by sending a crafted HTTP request with an IDN host to an affected Envoy proxy. No authentication or special network position is required; the request can be sent over the network. The attacker does not need user interaction. The crash occurs during URL parsing before any request processing. [1]

Impact

Successful exploitation results in a denial of service (DoS) due to abnormal termination of the Envoy proxy process. The crash is a segmentation fault, causing the proxy to stop serving traffic. The confidentiality and integrity of data are not affected, but availability is compromised. [1]

Mitigation

The fix was introduced in Envoy master after commit 3b5acb2. Users should update to a version that includes the fix. As of the advisory publication (2020-10-01), no workaround is mentioned. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. [1]