CVE-2024-45807

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-45807

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-45807.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-45807

Aliases

BIT-envoy-2024-45807
GHSA-qc52-r4x5-9w37

Published

2024-09-19T23:34:28Z

Modified

2025-10-22T18:43:43.797264Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

oghttp2 crash on OnBeginHeadersForStream in envoy

Details

Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy's 1.31 is using oghttp as the default HTTP/2 codec, and there are potential bugs around stream management in the codec. To resolve this Envoy will switch off the oghttp2 by default. The impact of this issue is that envoy will crash. This issue has been addressed in release version 1.31.2. All users are advised to upgrade. There are no known workarounds for this issue.

Database specific

{
    "cwe_ids": [
        "CWE-670"
    ]
}

References

https://github.com/envoyproxy/envoy/security/advisories/GHSA-qc52-r4x5-9w37

Affected packages

Git / github.com/envoyproxy/envoy

Affected ranges

Type: GIT
Repo: https://github.com/envoyproxy/envoy
Events: Introduced

7b8baff1758f0a584dcc3cb657b5032000bcb3d7

Fixed

cc4a75482810de4b84c301d13deb551bd3147339

Affected versions

v1.*

v1.31.0

v1.31.1