International Money Flow
SECURITY ADVISORY · TLP:CLEAR · 2024-04-03

Envoy HTTP/2 CONTINUATION frame flood causes CPU exhaustion DoS

Envoy's HTTP/2 codec processes CONTINUATION frames without effective rate limiting. A remote unauthenticated client can stream CONTINUATION frames indefinitely, exhausting CPU on the target. Part of the wider 2024 HTTP/2 CONTINUATION flood disclosure class.

MEDIUM 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Published
2024-04-03
Last updated
2026-04-29
Status
PUBLISHED
CVE IDs
CVE-2024-30255
CVSS
5.9
Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected
Envoy < 1.26.8 · Envoy 1.27.0 through 1.27.4 · Envoy 1.28.0 through 1.28.2 · Envoy 1.29.0 through 1.29.3
Reporter
Bartek Nowotarski (CERT/CC coordinated)
TLP
TLP:CLEAR

Summary

Envoy’s HTTP/2 codec accepts CONTINUATION frames after a HEADERS frame without enforcing a meaningful upper bound on aggregate header processing work per stream. A malicious client can open a stream and stream CONTINUATION frames carrying compressed garbage at line rate, forcing Envoy to spend CPU on HPACK decompression and header validation until the process is overwhelmed.

The vulnerability is one of several disclosed by CERT/CC on 2024-04-03 as the “HTTP/2 CONTINUATION flood” class, affecting multiple HTTP/2 server implementations including Apache httpd (CVE-2024-27316), nghttp2 (CVE-2024-28182), Apache Traffic Server (CVE-2024-31309), Node.js (CVE-2024-27983), and Go net/http (CVE-2023-45288).

Affected versions

Vulnerable
Envoy versions before 1.26.8
Envoy 1.27.0 through 1.27.4 (inclusive)
Envoy 1.28.0 through 1.28.2 (inclusive)
Envoy 1.29.0 through 1.29.3 (inclusive)
Patched
Envoy 1.26.8, 1.27.5, 1.28.3, 1.29.4 (released 2024-04-02)

Technical detail

In HTTP/2 (RFC 9113), a HEADERS frame may be followed by zero or more CONTINUATION frames if the END_HEADERS flag was not set. The intent is to allow header blocks larger than a single frame. The protocol does not specify a maximum number of CONTINUATION frames per logical request.

Envoy’s codec performs HPACK decompression as each frame arrives, but prior to 1.26.8 it did not bound the total work done for a single stream when CONTINUATION frames continued without the END_HEADERS flag. An attacker establishes a single TCP connection, opens an HTTP/2 stream with HEADERS, then issues an unbounded sequence of CONTINUATION frames carrying compressed-but-discarded header data. The proxy continues to allocate, decompress, and validate header data without ever delivering a request to the upstream — and without the connection appearing in request-rate-limiter counters, since no request has yet been completed.

Result: a single connection can drive a worker thread to 100% CPU. With multiple connections, an attacker can exhaust all worker threads on a multi-tenant Envoy deployment.

Impact

Availability impact only — there is no information disclosure or code execution path. A successful flood denies service to legitimate traffic through the affected Envoy instance until the connection is terminated or worker threads recover.

For organizations operating Envoy as a public-facing API gateway or service mesh ingress, the practical risk is loss of availability of all services routed through the affected pool. For sidecar deployments, the blast radius is per-pod.

Mitigation

  1. Upgrade to Envoy 1.26.8, 1.27.5, 1.28.3, 1.29.4, or any later release. Patched builds enforce a maximum of 100 CONTINUATION frames per request and abort the stream with ENHANCE_YOUR_CALM if exceeded.
  2. If immediate upgrade is not possible, set http2_protocol_options.max_consecutive_inbound_frames_with_empty_payload to a low value (e.g. 10) on listener configurations. This is a partial mitigation and does not fully prevent CPU pressure.
  3. Place a rate-limited L4 frontend (e.g. AWS NLB connection rate limit, HAProxy, Cloudflare) ahead of Envoy and cap per-source connection concurrency. Many financial-sector deployments already do this; verify the limits are tight enough to bound the attack.
  4. Monitor Envoy’s http2.inbound_empty_frames_flood and http2.tx_flush_timeout counters. Sudden growth indicates active exploitation or scanning.

Detection

title: Envoy HTTP/2 CONTINUATION flood signature
id: 1d3f7c5b-7d9b-4f78-bcd6-3b94e96f5b22
status: experimental
description: >-
  Detects sustained HTTP/2 streams where CONTINUATION frames vastly
  outnumber HEADERS+DATA, characteristic of CVE-2024-30255 exploitation.
logsource:
  product: envoy
  service: access_log
detection:
  selection:
    protocol: HTTP/2
    response_code_details: 'http2.too_many_continuation_frames'
  timeframe: 5m
  condition: count() > 100
level: medium

Timeline

DateEvent
2024-01-25Bartek Nowotarski reports the broader CONTINUATION flood class to CERT/CC.
2024-03-26Envoy maintainers receive coordinated pre-disclosure.
2024-04-02Patched Envoy releases (1.26.8, 1.27.5, 1.28.3, 1.29.4) published.
2024-04-03Public disclosure via CERT/CC vulnerability note VU#421644 and Envoy advisory GHSA-h747-65xv-jrgg.

Acknowledgements

Discovery by Bartek Nowotarski. Coordinated disclosure by the CERT Coordination Center. Envoy patches by the Envoy security team.

References

  1. https://github.com/envoyproxy/envoy/security/advisories/GHSA-h747-65xv-jrgg — Envoy security advisory
  2. https://kb.cert.org/vuls/id/421644 — CERT/CC vulnerability note VU#421644 (HTTP/2 CONTINUATION flood class)
  3. https://nowotarski.info/http2-continuation-flood-technical-details/ — researcher writeup of the broader vulnerability class
  4. https://nvd.nist.gov/vuln/detail/CVE-2024-30255 — NIST NVD entry