Unrated severityNVD Advisory· Published Apr 4, 2024· Updated Nov 4, 2025

HTTP/2: memory exhaustion due to CONTINUATION frame flood

CVE-2024-27919

Description

Envoy is a cloud-native, open-source edge and service proxy. In versions 1.29.0 and 1.29.1, theEnvoy HTTP/2 protocol stack is vulnerable to the flood of CONTINUATION frames. Envoy's HTTP/2 codec does not reset a request when header map limits have been exceeded. This allows an attacker to send an sequence of CONTINUATION frames without the END_HEADERS bit set causing unlimited memory consumption. This can lead to denial of service through memory exhaustion. Users should upgrade to versions 1.29.2 to mitigate the effects of the CONTINUATION flood. Note that this vulnerability is a regression in Envoy version 1.29.0 and 1.29.1 only. As a workaround, downgrade to version 1.28.1 or earlier or disable HTTP/2 protocol for downstream connections.

Affected products

Envoyproxy/Envoyv5
Range: >= 1.29.0, < 1.29.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/envoyproxy/envoy/commit/57a02565532c18eb9df972a3e8974be3ae59f2d5mitrex_refsource_MISC
github.com/envoyproxy/envoy/security/advisories/GHSA-gghf-vfxp-799rmitrex_refsource_CONFIRM
www.openwall.com/lists/oss-security/2024/04/03/16mitre
www.openwall.com/lists/oss-security/2024/04/05/3mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.019
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000