{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-53270", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-11-19T20:08:14.482Z", "datePublished": "2024-12-18T19:12:18.775Z", "dateUpdated": "2024-12-18T21:35:24.476Z"}, "containers": {"cna": {"title": "HTTP/1: sending overload crashes when the request is reset beforehand in envoy", "problemTypes": [{"descriptions": [{"cweId": "CWE-670", "lang": "en", "description": "CWE-670: Always-Incorrect Control Flow Implementation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-q9qv-8j52-77p3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-q9qv-8j52-77p3"}, {"name": "https://github.com/envoyproxy/envoy/pull/37743/commits/6cf8afda956ba67c9afad185b962325a5242ef02", "tags": ["x_refsource_MISC"], "url": "https://github.com/envoyproxy/envoy/pull/37743/commits/6cf8afda956ba67c9afad185b962325a5242ef02"}], "affected": [{"vendor": "envoyproxy", "product": "envoy", "versions": [{"version": ">= 1.32.0, < 1.32.3", "status": "affected"}, {"version": ">= 1.31.0, < 1.31.5", "status": "affected"}, {"version": ">= 1.30.0, < 1.30.9", "status": "affected"}, {"version": "< 1.29.12", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-12-18T19:12:18.775Z"}, "descriptions": [{"lang": "en", "value": "Envoy is a cloud-native high-performance edge/middle/service proxy. In affected versions `sendOverloadError` is going to assume the active request exists when `envoy.load_shed_points.http1_server_abort_dispatch` is configured. If `active_request` is nullptr, only onMessageBeginImpl() is called. However, the `onMessageBeginImpl` will directly return ok status if the stream is already reset leading to the nullptr reference. The downstream reset can actually happen during the H/2 upstream reset. As a result envoy may crash. This issue has been addressed in releases 1.32.3, 1.31.5, 1.30.9, and 1.29.12. Users are advised to upgrade. Users unable to upgrade may disable `http1_server_abort_dispatch` load shed point and/or use a high threshold."}], "source": {"advisory": "GHSA-q9qv-8j52-77p3", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-q9qv-8j52-77p3", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-12-18T21:34:59.313563Z", "id": "CVE-2024-53270", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-18T21:35:24.476Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-53270", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-12-18T21:34:59.313563Z"}}}], "references": [{"url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-q9qv-8j52-77p3", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-18T21:35:19.749Z"}}], "cna": {"title": "HTTP/1: sending overload crashes when the request is reset beforehand in envoy", "source": {"advisory": "GHSA-q9qv-8j52-77p3", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "envoyproxy", "product": "envoy", "versions": [{"status": "affected", "version": ">= 1.32.0, < 1.32.3"}, {"status": "affected", "version": ">= 1.31.0, < 1.31.5"}, {"status": "affected", "version": ">= 1.30.0, < 1.30.9"}, {"status": "affected", "version": "< 1.29.12"}]}], "references": [{"url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-q9qv-8j52-77p3", "name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-q9qv-8j52-77p3", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/envoyproxy/envoy/pull/37743/commits/6cf8afda956ba67c9afad185b962325a5242ef02", "name": "https://github.com/envoyproxy/envoy/pull/37743/commits/6cf8afda956ba67c9afad185b962325a5242ef02", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Envoy is a cloud-native high-performance edge/middle/service proxy. In affected versions `sendOverloadError` is going to assume the active request exists when `envoy.load_shed_points.http1_server_abort_dispatch` is configured. If `active_request` is nullptr, only onMessageBeginImpl() is called. However, the `onMessageBeginImpl` will directly return ok status if the stream is already reset leading to the nullptr reference. The downstream reset can actually happen during the H/2 upstream reset. As a result envoy may crash. This issue has been addressed in releases 1.32.3, 1.31.5, 1.30.9, and 1.29.12. Users are advised to upgrade. Users unable to upgrade may disable `http1_server_abort_dispatch` load shed point and/or use a high threshold."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-670", "description": "CWE-670: Always-Incorrect Control Flow Implementation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-12-18T19:12:18.775Z"}}}, "cveMetadata": {"cveId": "CVE-2024-53270", "state": "PUBLISHED", "dateUpdated": "2024-12-18T21:35:24.476Z", "dateReserved": "2024-11-19T20:08:14.482Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-12-18T19:12:18.775Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "matchCriteriaId": "5A36E6AD-FBE3-4C18-A627-DF988A5E51C8", "versionEndExcluding": "1.29.12", "vulnerable": true}, {"criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "matchCriteriaId": "0D053505-B0A7-4719-9AEC-15D520D1AE04", "versionEndExcluding": "1.30.9", "versionStartIncluding": "1.30.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "matchCriteriaId": "1095DF48-5B40-4A98-97B5-6E021499D800", "versionEndExcluding": "1.31.5", "versionStartIncluding": "1.31.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "matchCriteriaId": "BC2A8D30-4E42-4613-AF2F-FA99599F5454", "versionEndExcluding": "1.32.3", "versionStartIncluding": "1.32.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Envoy is a cloud-native high-performance edge/middle/service proxy. In affected versions `sendOverloadError` is going to assume the active request exists when `envoy.load_shed_points.http1_server_abort_dispatch` is configured. If `active_request` is nullptr, only onMessageBeginImpl() is called. However, the `onMessageBeginImpl` will directly return ok status if the stream is already reset leading to the nullptr reference. The downstream reset can actually happen during the H/2 upstream reset. As a result envoy may crash. This issue has been addressed in releases 1.32.3, 1.31.5, 1.30.9, and 1.29.12. Users are advised to upgrade. Users unable to upgrade may disable `http1_server_abort_dispatch` load shed point and/or use a high threshold."}, {"lang": "es", "value": "Envoy es un proxy de servicio, de borde y de medio alcance de alto rendimiento nativo de la nube. En las versiones afectadas, `sendOverloadError` asumir\u00e1 que existe la solicitud activa cuando se configura `envoy.load_shed_points.http1_server_abort_dispatch`. Si `active_request` es nullptr, solo se llama a onMessageBeginImpl(). Sin embargo, `onMessageBeginImpl` devolver\u00e1 directamente el estado ok si la secuencia ya se restableci\u00f3 y conduce a la referencia nullptr. El restablecimiento descendente puede ocurrir durante el restablecimiento ascendente de H/2. Como resultado, Envoy puede bloquearse. Este problema se ha solucionado en las versiones 1.32.3, 1.31.5, 1.30.9 y 1.29.12. Se recomienda a los usuarios que actualicen la versi\u00f3n. Los usuarios que no puedan actualizar pueden deshabilitar el punto de desconexi\u00f3n de carga `http1_server_abort_dispatch` o usar un umbral alto."}], "id": "CVE-2024-53270", "lastModified": "2025-09-04T13:47:17.810", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-12-18T20:15:24.290", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/envoyproxy/envoy/pull/37743/commits/6cf8afda956ba67c9afad185b962325a5242ef02"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory", "Exploit", "Mitigation"], "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-q9qv-8j52-77p3"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Third Party Advisory", "Exploit", "Mitigation"], "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-q9qv-8j52-77p3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-670"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2025:1053", "cpe": "cpe:/a:redhat:service_mesh:2.6::el9", "package": "openshift-service-mesh/proxyv2-rhel9:2.6.5-4", "product_name": "Red Hat OpenShift Service Mesh 2.6 for RHEL 9", "release_date": "2025-02-05T00:00:00Z"}], "bugzilla": {"description": "envoy: HTTP/1: sending overload crashes when the request is reset beforehand in envoy", "id": "2333091", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2333091"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-670", "details": ["Envoy is a cloud-native high-performance edge/middle/service proxy. In affected versions `sendOverloadError` is going to assume the active request exists when `envoy.load_shed_points.http1_server_abort_dispatch` is configured. If `active_request` is nullptr, only onMessageBeginImpl() is called. However, the `onMessageBeginImpl` will directly return ok status if the stream is already reset leading to the nullptr reference. The downstream reset can actually happen during the H/2 upstream reset. As a result envoy may crash. This issue has been addressed in releases 1.32.3, 1.31.5, 1.30.9, and 1.29.12. Users are advised to upgrade. Users unable to upgrade may disable `http1_server_abort_dispatch` load shed point and/or use a high threshold.", "A flaw was found in Envoy. In systems where `http1_server_abort_dispatch` is configured, Envoy does not properly handle the control flow during H1 stream resets. This can trigger a null pointer error and lead to an application crash."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-53270", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Affected", "package_name": "openshift-service-mesh/istio-cni-rhel8", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Affected", "package_name": "openshift-service-mesh/pilot-rhel8", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Affected", "package_name": "openshift-service-mesh/proxyv2-rhel8", "product_name": "OpenShift Service Mesh 2"}], "public_date": "2024-12-18T19:12:18Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-53270\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-53270\nhttps://github.com/envoyproxy/envoy/pull/37743/commits/6cf8afda956ba67c9afad185b962325a5242ef02\nhttps://github.com/envoyproxy/envoy/security/advisories/GHSA-q9qv-8j52-77p3"], "statement": "This vulnerability in Envoy Proxy is marked as important severity rather than moderate due to its ability to cause a null pointer dereference, leading to a complete crash of the proxy under specific conditions. As Envoy is commonly deployed in mission-critical roles such as a high-performance edge, middle, or service proxy, a crash can disrupt downstream and upstream communication, effectively bringing down services dependent on Envoy. The issue is exacerbated by its potential to occur during load shedding, a mechanism typically invoked during resource exhaustion, which is a critical time for maintaining service availability.", "threat_severity": "Important"}

{}