CVE-2022-29225
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-29225
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-29225.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-29225
- Aliases
- Downstream
- Related
- Published
- 2022-06-09T20:15:08Z
- Modified
- 2025-07-01T18:04:13Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 secompressors accumulate decompressed data into an intermediate buffer before overwriting the body in the decode/encodeBody. This may allow an attacker to zip bomb the decompressor by sending a small highly compressed payload. Maliciously constructed zip files may exhaust system memory and cause a denial of service. Users are advised to upgrade. Users unable to upgrade may consider disabling decompression.
- References
Affected packages
Git / github.com/envoyproxy/envoy
Affected ranges
- Type
- GIT
- Repo
- https://github.com/envoyproxy/envoy
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Database specific
{
"vanir_signatures": [
{
"id": "CVE-2022-29225-2bd63fa3",
"digest": {
"line_hashes": [
"142780415915752640538624935601648888484",
"320101655249930298485801335548989718314",
"310267022245197416253321284308181236778"
],
"threshold": 0.9
},
"target": {
"file": "test/extensions/compression/zstd/decompressor/zstd_decompressor_impl_test.cc"
},
"signature_version": "v1",
"source": "https://github.com/envoyproxy/envoy/commit/cb4ef0b09200c720dfdb07e097092dd105450343",
"deprecated": false,
"signature_type": "Line"
},
{
"id": "CVE-2022-29225-4068ea82",
"digest": {
"length": 368.0,
"function_hash": "76424093164446404733380801547737017729"
},
"target": {
"function": "BrotliDecompressorImpl::process",
"file": "source/extensions/compression/brotli/decompressor/brotli_decompressor_impl.cc"
},
"signature_version": "v1",
"source": "https://github.com/envoyproxy/envoy/commit/cb4ef0b09200c720dfdb07e097092dd105450343",
"deprecated": false,
"signature_type": "Function"
},
{
"id": "CVE-2022-29225-467eb115",
"digest": {
"line_hashes": [
"317091268972786862557656766823788073065",
"340209122308492380688019568976891963637",
"282375181286498142752796218476193840023",
"202978433500286579151994628815775813410",
"76028186394935099532030133875853889760"
],
"threshold": 0.9
},
"target": {
"file": "test/extensions/compression/gzip/compressor_fuzz_test.cc"
},
"signature_version": "v1",
"source": "https://github.com/envoyproxy/envoy/commit/cb4ef0b09200c720dfdb07e097092dd105450343",
"deprecated": false,
"signature_type": "Line"
},
{
"id": "CVE-2022-29225-4d8f71ee",
"digest": {
"length": 545.0,
"function_hash": "67401435546717508420764332581265692453"
},
"target": {
"function": "BrotliDecompressorImpl::decompress",
"file": "source/extensions/compression/brotli/decompressor/brotli_decompressor_impl.cc"
},
"signature_version": "v1",
"source": "https://github.com/envoyproxy/envoy/commit/cb4ef0b09200c720dfdb07e097092dd105450343",
"deprecated": false,
"signature_type": "Function"
},
{
"id": "CVE-2022-29225-8ae1ca01",
"digest": {
"line_hashes": [
"125650013560747653251454059167614050045",
"307722277274753234394553073668242189158",
"253412105963027074443487331116062424969",
"64623942650657484631985055160257858105",
"19916289209991940955908538685090475129",
"293788362779959953150114272270729725665",
"162189824944321816762358584244379806640",
"85068327285804573229768579067255969012",
"317693613292349228410123435195037704779",
"327396870597883385523946186865122161932",
"130575896074566802953457517813433775042",
"220818430864592439757786281723058038761",
"75409822564346868074973589349903514995",
"148679501514562171884701499656999643680",
"185768103381123539811200646675851471792"
],
"threshold": 0.9
},
"target": {
"file": "source/extensions/compression/gzip/decompressor/zlib_decompressor_impl.cc"
},
"signature_version": "v1",
"source": "https://github.com/envoyproxy/envoy/commit/cb4ef0b09200c720dfdb07e097092dd105450343",
"deprecated": false,
"signature_type": "Line"
},
{
"id": "CVE-2022-29225-91a6a951",
"digest": {
"line_hashes": [
"108657500598533462109365846541086915752",
"212685185898566875514548464033460217453",
"81274260220187976530484627582916611235"
],
"threshold": 0.9
},
"target": {
"file": "test/extensions/compression/gzip/decompressor/zlib_decompressor_impl_test.cc"
},
"signature_version": "v1",
"source": "https://github.com/envoyproxy/envoy/commit/cb4ef0b09200c720dfdb07e097092dd105450343",
"deprecated": false,
"signature_type": "Line"
},
{
"id": "CVE-2022-29225-91adfea9",
"digest": {
"line_hashes": [
"81993476025900949940385867039587322513",
"267346905265921096151921624769888263491",
"299121674200241548467109345434817446507",
"206778934269766804397403671646517338005",
"52550268985546451415786717294425304478",
"219529496982965175681007040775837852502",
"319469537851171107930202822130820819387",
"93797610194673319854187186714410118525",
"330403852844614541926150618702023586519",
"172436123872770838557349199024630358348",
"55609653697132863881479259815228188632",
"300353753042619827135671843331598864484",
"293949540968280903538352693917672011553",
"108587633537507210242609878158511307392"
],
"threshold": 0.9
},
"target": {
"file": "source/extensions/compression/zstd/decompressor/zstd_decompressor_impl.cc"
},
"signature_version": "v1",
"source": "https://github.com/envoyproxy/envoy/commit/cb4ef0b09200c720dfdb07e097092dd105450343",
"deprecated": false,
"signature_type": "Line"
},
{
"id": "CVE-2022-29225-ae0b4659",
"digest": {
"line_hashes": [
"246326900051602231549471743654772037167",
"230994992815678701707766192966336701227",
"305258637109499777982615690313269051974",
"131983288448338302006983064715264152659",
"214863495927623727885901324533806918105",
"136429939547830675067632457795008189607"
],
"threshold": 0.9
},
"target": {
"file": "source/extensions/compression/brotli/common/base.h"
},
"signature_version": "v1",
"source": "https://github.com/envoyproxy/envoy/commit/cb4ef0b09200c720dfdb07e097092dd105450343",
"deprecated": false,
"signature_type": "Line"
},
{
"id": "CVE-2022-29225-ae9e0a11",
"digest": {
"line_hashes": [
"139991804194267804589808868423117982565",
"324504178428015337583414013371326651247",
"4534965153869730334144625837559458551"
],
"threshold": 0.9
},
"target": {
"file": "test/extensions/compression/brotli/decompressor/brotli_decompressor_impl_test.cc"
},
"signature_version": "v1",
"source": "https://github.com/envoyproxy/envoy/commit/cb4ef0b09200c720dfdb07e097092dd105450343",
"deprecated": false,
"signature_type": "Line"
},
{
"id": "CVE-2022-29225-b3b7f501",
"digest": {
"line_hashes": [
"84781442741684063772227168653433696253",
"107279065640904548696717261227945599522",
"310679680547316901695614646360648371174",
"24532406953358103474152851365740860171",
"320407170628931933040371262806014235189",
"91932256508740885248798442697112929699",
"61000355425054973582068385904183219029",
"96545474828561871428570754657302876271",
"47333025509601047985341258365420732831",
"125439689789362756409090881221838341125",
"280389092321384179134641332284822411472",
"10624148133356207386557700795884777119",
"239626692865785237577088137546386481109",
"138438466594644698846861145220351280904"
],
"threshold": 0.9
},
"target": {
"file": "source/extensions/compression/brotli/decompressor/brotli_decompressor_impl.cc"
},
"signature_version": "v1",
"source": "https://github.com/envoyproxy/envoy/commit/cb4ef0b09200c720dfdb07e097092dd105450343",
"deprecated": false,
"signature_type": "Line"
},
{
"id": "CVE-2022-29225-b3da5732",
"digest": {
"length": 1462.0,
"function_hash": "143255505943557602724956151138613294060"
},
"target": {
"function": "DEFINE_FUZZER",
"file": "test/extensions/compression/gzip/compressor_fuzz_test.cc"
},
"signature_version": "v1",
"source": "https://github.com/envoyproxy/envoy/commit/cb4ef0b09200c720dfdb07e097092dd105450343",
"deprecated": false,
"signature_type": "Function"
},
{
"id": "CVE-2022-29225-b61e48d0",
"digest": {
"length": 396.0,
"function_hash": "248473722445511962385728748609997355778"
},
"target": {
"function": "ZlibDecompressorImpl::decompress",
"file": "source/extensions/compression/gzip/decompressor/zlib_decompressor_impl.cc"
},
"signature_version": "v1",
"source": "https://github.com/envoyproxy/envoy/commit/cb4ef0b09200c720dfdb07e097092dd105450343",
"deprecated": false,
"signature_type": "Function"
},
{
"id": "CVE-2022-29225-bb251ecf",
"digest": {
"line_hashes": [
"58554808888801405319427902233014504936",
"5046715161525297909628177102119378649",
"47885853869975323379577247600656699929",
"76823280203307593560276266298140457758",
"318916538532449953856732500011797359645",
"225573830210090813489437319358181169121",
"27076376497445491318703990772064381692"
],
"threshold": 0.9
},
"target": {
"file": "source/extensions/compression/zstd/decompressor/zstd_decompressor_impl.h"
},
"signature_version": "v1",
"source": "https://github.com/envoyproxy/envoy/commit/cb4ef0b09200c720dfdb07e097092dd105450343",
"deprecated": false,
"signature_type": "Line"
},
{
"id": "CVE-2022-29225-bf1a8661",
"digest": {
"line_hashes": [
"84910361421904938133166896610405209487",
"270145974410380213591890412127682521307",
"151308085271142467379973637870694008864",
"139661723424944768460781871138841675863",
"220644878171843580455233134807489860750",
"174605894090564441803838445559241608831"
],
"threshold": 0.9
},
"target": {
"file": "source/extensions/compression/brotli/common/base.cc"
},
"signature_version": "v1",
"source": "https://github.com/envoyproxy/envoy/commit/cb4ef0b09200c720dfdb07e097092dd105450343",
"deprecated": false,
"signature_type": "Line"
},
{
"id": "CVE-2022-29225-c20c5f83",
"digest": {
"line_hashes": [
"288831971304186054491144699900609016407",
"300933110413711864545622256848598338462",
"269216920254889261423265436112459410770",
"6261781105783172812632119669668403012"
],
"threshold": 0.9
},
"target": {
"file": "source/common/runtime/runtime_features.cc"
},
"signature_version": "v1",
"source": "https://github.com/envoyproxy/envoy/commit/cb4ef0b09200c720dfdb07e097092dd105450343",
"deprecated": false,
"signature_type": "Line"
},
{
"id": "CVE-2022-29225-ee7878e6",
"digest": {
"length": 704.0,
"function_hash": "329564167412280202327579603115498949456"
},
"target": {
"function": "ZstdDecompressorImpl::decompress",
"file": "source/extensions/compression/zstd/decompressor/zstd_decompressor_impl.cc"
},
"signature_version": "v1",
"source": "https://github.com/envoyproxy/envoy/commit/cb4ef0b09200c720dfdb07e097092dd105450343",
"deprecated": false,
"signature_type": "Function"
}
]
}