Envoy HTTP Connection Manager Zombie Stream Filter Execution Vulnerability

A logic vulnerability allowing Zombie Stream Filter Execution has been identified in Envoy versions prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13. This vulnerability creates a Use-After-Free (UAF) condition in the HTTP connection manager's FilterManager component. When an HTTP/2 stream is reset, the ActiveStream object remains valid in memory during the deferred deletion period. If a DATA frame is received on the stream immediately after the reset, the HTTP/2 codec can invoke ActiveStream::decodeData, which cascades to FilterManager::decodeData. This method fails to check if the stream has been reset, allowing filter callbacks to be executed on a logically dead stream. The vulnerability is located in source/common/http/filter_manager.cc, within the FilterManager::decodeData method.

Impact

Exploitation of this vulnerability leads to a Use-After-Free condition, causing a crash and creating a memory corruption scenario. In a heap-groomed environment, this could be exploited to execute arbitrary code remotely, especially in Envoy deployments using memory-unsafe extensions or third-party filters.

Reproduction

The vulnerability can be reproduced by creating an HTTP/2 stream, triggering a reset (simulating an overload or timeout), and then immediately injecting a DATA frame into the stream. This can be done using a C++ unit test that mocks the necessary components and asserts that the filter's decodeData callback is called on the reset stream.

Remediation

Users can upgrade to Envoy versions 1.37.1, 1.36.5, 1.35.8, or 1.34.13 to address this vulnerability.