CNCF Envoy Excessive Memory Consumption Vulnerability in HTTP/1.1 Chunked Responses

A memory consumption vulnerability has been identified in CNCF Envoy versions prior to 1.13.0. When proxying HTTP/1.1 requests or responses that contain many small chunks (approximately 1 byte each), Envoy can use excessive amounts of memory. This occurs because Envoy allocates a separate buffer for each chunk, rounding up to the nearest 4KB, and fails to release empty chunks after the data has been committed. As a result, handling requests or responses with numerous small chunks can lead to a significant increase in memory usage, potentially two to three times more than the configured buffer limits. This issue has been acknowledged by the Envoy project and is being addressed in the official Envoy GitHub repository.

Impact

Exploitation of this vulnerability can cause a denial-of-service condition by exhausting available memory resources, leading to increased latency or failure to process requests.

Reproduction

To reproduce this vulnerability, send an HTTP/1.1 request or response with a large number of small (1 byte) chunks. Envoy will allocate a separate buffer for each chunk, causing excessive memory usage.

Remediation

Users can upgrade to Envoy versions 1.13.1 or 1.12.3, both of which include the necessary fix.