BIT-envoy-2026-48743

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/envoy/BIT-envoy-2026-48743.json
JSON Data
https://api.osv.dev/v1/vulns/BIT-envoy-2026-48743
Aliases
Published
2026-06-30T23:39:39.412Z
Modified
2026-07-08T08:26:26.159863705Z
Summary
Envoy: HTTP/3 to HTTP/1 request smuggling via headers-only request with nonzero Content-Length
Details

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, Envoy can translate a downstream HTTP/3 request that is complete at the transport layer (HEADERS with FIN / headers-only close) but still carries a nonzero Content-Length into a complete upstream HTTP/1 request with unresolved body debt. In an HTTP/1 upstream deployment where the origin replies before reading the declared body and keeps the connection reusable, the beginning of the next Envoy-generated upstream request can be consumed as the first request's body. The remaining bytes are then parsed by the origin as a new HTTP/1 request. This was reproduced as a route-bypass/desync: direct /pwn was denied by Envoy, but the second downstream H3 stream received the response for backend-parsed GET /pwn HTTP/1.1. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.

Database specific
{
    "severity": "High",
    "cpes": [
        "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*"
    ]
}
References

Affected packages

Bitnami / envoy

Package

Name
envoy
Purl
pkg:bitnami/envoy

Severity

  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
1.35.0
Fixed
1.35.11
Introduced
1.36.0
Fixed
1.36.7
Introduced
1.37.0
Fixed
1.37.3
Introduced
1.38.0
Fixed
1.38.1

Database specific

source
"https://github.com/bitnami/vulndb/tree/main/data/envoy/BIT-envoy-2026-48743.json"