Login Sign Up

CVE-2024-32475

7.5 HIGH
Denial of Service

📋 TL;DR

Envoy proxy crashes when processing requests with host/authority headers longer than 255 characters while using upstream TLS clusters with auto_sni enabled. This denial-of-service vulnerability affects all Envoy deployments using the vulnerable configuration.

💻 Affected Systems

Products:
  • Envoy Proxy
Versions: All versions before 1.30.1, 1.29.4, 1.28.3, and 1.27.5
Operating Systems: All platforms running Envoy
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when using upstream TLS clusters with auto_sni enabled. The default configuration is not vulnerable.

📦 What is this software?

Envoy by Envoyproxy

View all CVEs affecting Envoy →

Envoy by Envoyproxy

View all CVEs affecting Envoy →

Envoy by Envoyproxy

View all CVEs affecting Envoy →

Envoy by Envoyproxy

View all CVEs affecting Envoy →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage as Envoy processes crash, disrupting all traffic proxied through vulnerable instances.

🟠

Likely Case

Intermittent service disruptions and availability issues when malicious or malformed requests trigger crashes.

🟢

If Mitigated

No impact if auto_sni is disabled or requests are filtered for excessive header lengths.

🌐 Internet-Facing: HIGH - Internet-facing Envoy instances are directly exposed to malicious requests triggering crashes.
🏢 Internal Only: MEDIUM - Internal services could still be affected by malformed requests from internal sources.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending a single HTTP request with a long host header to trigger the crash.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.30.1, 1.29.4, 1.28.3, or 1.27.5

Vendor Advisory: https://github.com/envoyproxy/envoy/security/advisories/GHSA-3mh5-6q8v-25wj

Restart Required: Yes

Instructions:

1. Update Envoy to patched version. 2. Restart Envoy service. 3. Verify version with envoy --version.

🔧 Temporary Workarounds

Disable auto_sni

all

Disable auto_sni feature in upstream TLS cluster configurations

Modify Envoy configuration to set auto_sni: false in TLS clusters

Filter long host headers

all

Add request filtering to reject or truncate host/authority headers over 255 characters

Implement HTTP filter to validate header lengths before processing

🧯 If You Can't Patch

  • Disable auto_sni in all upstream TLS cluster configurations
  • Implement WAF or proxy filtering to block requests with host headers exceeding 255 characters

🔍 How to Verify

Check if Vulnerable:

Check if using upstream TLS clusters with auto_sni enabled and Envoy version is before patched releases

Check Version:

envoy --version

Verify Fix Applied:

Verify Envoy version is 1.30.1, 1.29.4, 1.28.3, or 1.27.5 and test with long host header requests

📡 Detection & Monitoring

Log Indicators:

  • Envoy process crashes
  • Abnormal termination logs
  • Connection resets after long header requests

Network Indicators:

  • HTTP requests with host headers >255 characters
  • Sudden service unavailability

SIEM Query:

source="envoy" AND ("crash" OR "abort" OR "terminated")

📊 Metadata

CVE ID: CVE-2024-32475
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-253
Published: April 18, 2024
Last Updated: September 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-32475, you might also want to check these:

CVE-2023-4501 9.8

This critical authentication bypass vulnerability in OpenText COBOL products allows attackers to log...

Same vulnerability type (CWE-253)
CVE-2023-49286 8.6

Squid caching proxy versions before 6.5 contain an incorrect check of function return value bug in h...

Same vulnerability type (CWE-253)
CVE-2026-0648 7.8

This vulnerability allows attackers to cause denial-of-service or memory corruption by exhausting th...

Same vulnerability type (CWE-253)