"DoS Vulnerability Allows Easy Envoy Proxy Crashes"

Researchers uncovered a Denial-of-Service (DoS) vulnerability in Envoy Proxy that allows attackers to crash the proxy server. According to JFrog Security Research, which revealed the vulnerability, this could result in performance degradation or the unavailability of resources handled by the proxy. Envoy is a popular open-source edge and service proxy server designed for cloud-native applications and high-traffic websites. It can decompress GZip and Brotli data (two compression formats). However, it lacks a size restriction for the latter's output buffer, meaning that a "zip bomb," a malicious archive file designed to crash or render a software or system useless, could jam the buffer with a near-unlimited quantity of data. A malicious actor could exploit the vulnerability by uploading a Brotli zip bomb to the server, causing severe performance issues. Users are advised to upgrade to Envoy version 1.19.5, 1.20.4, 1.21.3, or 1.22.1, to fix the issue. This article continues to discuss the DoS vulnerability discovered in the Envoy Proxy. 

Dark Reading reports "DoS Vulnerability Allows Easy Envoy Proxy Crashes"