CVE-2022-29225
Zip bomb vulnerability in Envoy
In short
Envoy proxy has a flaw where decompression of highly compressed files can exhaust system memory, allowing attackers to crash the service by sending a small malicious compressed file. This is a denial-of-service attack that affects versions before 1.22.1.
Technical detail
The vulnerability exists in the decompressor's handling of compressed payloads, where intermediate buffers accumulate decompressed data before overwriting the body during decode/encodeBody operations. An attacker can craft a zip bomb—a small highly compressed file that expands to enormous size in memory—causing resource exhaustion and denial of service. Affected versions prior to 1.22.1 are vulnerable.
Summary generated and translated by AI from the official description.
Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 secompressors accumulate decompressed data into an intermediate buffer before overwriting the body in the decode/encodeBody. This may allow an attacker to zip bomb the decompressor by sending a small highly compressed payload. Maliciously constructed zip files may exhaust system memory and cause a denial of service. Users are advised to upgrade. Users unable to upgrade may consider disabling decompression.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected products
envoyproxy · envoyWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →