CVE-2023-27487
📋 TL;DR
Envoy proxy versions before 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9 allow attackers to bypass JWT authentication by forging the x-envoy-original-path header. This internal header should be stripped from client requests but isn't, enabling attackers to manipulate authentication checks and logs. Any organization using vulnerable Envoy versions with JWT authentication or relying on the x-envoy-original-path header is affected.
💻 Affected Systems
- Envoy Proxy
📦 What is this software?
Envoy by Envoyproxy
Envoy by Envoyproxy
Envoy by Envoyproxy
Envoy by Envoyproxy
⚠️ Risk & Real-World Impact
Worst Case
Complete JWT authentication bypass allowing unauthorized access to protected resources, manipulation of trace/grpc logs, and potential privilege escalation in downstream systems.
Likely Case
Authentication bypass for specific endpoints where JWT validation depends on the forged path header, enabling unauthorized API access.
If Mitigated
Limited to log manipulation and minor header injection if JWT authentication isn't used or proper input validation exists.
🎯 Exploit Status
Exploitation requires sending a forged x-envoy-original-path header, which is trivial for attackers with network access to Envoy.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.26.0, 1.25.3, 1.24.4, 1.23.6, or 1.22.9
Vendor Advisory: https://github.com/envoyproxy/envoy/security/advisories/GHSA-5375-pq35-hf2g
Restart Required: Yes
Instructions:
1. Identify Envoy version. 2. Upgrade to patched version: 1.26.0, 1.25.3, 1.24.4, 1.23.6, or 1.22.9. 3. Restart Envoy service. 4. Verify fix by checking version and testing JWT authentication.
🔧 Temporary Workarounds
Header Stripping via Lua Filter
allRemove x-envoy-original-path header from incoming requests using Lua filter before JWT validation
Add Lua filter configuration to strip the header in Envoy config
Request Header Validation
allImplement custom request validation to reject requests containing x-envoy-original-path header from external clients
Configure Envoy to validate and reject requests with forged internal headers
🧯 If You Can't Patch
- Implement network-level controls to restrict access to Envoy instances
- Deploy WAF or reverse proxy in front of Envoy to strip x-envoy-original-path header
🔍 How to Verify
Check if Vulnerable:
Check Envoy version: envoy --version. If version is before 1.26.0, 1.25.3, 1.24.4, 1.23.6, or 1.22.9, and jwt_authn filter is configured, system is vulnerable.Check Version:
envoy --versionVerify Fix Applied:
1. Confirm version is patched. 2. Test JWT authentication with forged x-envoy-original-path header - should be rejected. 3. Verify header is stripped from client requests.📡 Detection & Monitoring
Log Indicators:
- Requests with x-envoy-original-path header from external IPs
- JWT authentication failures with mismatched paths
- Unexpected path values in trace/grpc logs
Network Indicators:
- HTTP requests containing x-envoy-original-path header from untrusted sources
SIEM Query:
source.ip NOT IN trusted_networks AND http.headers.x-envoy-original-path EXISTS