Unrated severityNVD Advisory· Published Jun 9, 2022· Updated Apr 22, 2025

Zip bomb vulnerability in Envoy

CVE-2022-29225

Description

Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 secompressors accumulate decompressed data into an intermediate buffer before overwriting the body in the decode/encodeBody. This may allow an attacker to zip bomb the decompressor by sending a small highly compressed payload. Maliciously constructed zip files may exhaust system memory and cause a denial of service. Users are advised to upgrade. Users unable to upgrade may consider disabling decompression.

Affected products

Envoyproxy/Envoyv5
Range: < 1.22.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/envoyproxy/envoy/commit/cb4ef0b09200c720dfdb07e097092dd105450343mitrex_refsource_MISC
github.com/envoyproxy/envoy/security/advisories/GHSA-75hv-2jjj-89hhmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000