Login Sign Up

CVE-2024-32976

7.5 HIGH
Denial of Service

📋 TL;DR

Envoyproxy with Brotli filter can enter an endless loop during decompression of Brotli data with extra input, causing denial of service. This affects Envoy deployments using Brotli compression. The vulnerability allows attackers to crash or degrade Envoy proxy performance.

💻 Affected Systems

Products:
  • envoyproxy
Versions: All versions before 1.30.3, 1.29.6, 1.28.8, 1.27.10
Operating Systems: All operating systems running Envoy
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when Brotli filter is enabled and processing Brotli-compressed data

📦 What is this software?

Envoy by Envoyproxy

View all CVEs affecting Envoy →

Envoy by Envoyproxy

View all CVEs affecting Envoy →

Envoy by Envoyproxy

View all CVEs affecting Envoy →

Envoy by Envoyproxy

View all CVEs affecting Envoy →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service causing Envoy to become unresponsive, disrupting all traffic through the proxy

🟠

Likely Case

Degraded performance or service disruption for applications using Envoy with Brotli compression

🟢

If Mitigated

Minimal impact if Brotli filter is disabled or proper input validation is implemented

🌐 Internet-Facing: HIGH - Envoy proxies exposed to internet traffic can be targeted with malicious Brotli data
🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could exploit this to disrupt internal services

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending specially crafted Brotli data to Envoy with Brotli filter enabled

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.30.3, 1.29.6, 1.28.8, 1.27.10

Vendor Advisory: https://github.com/envoyproxy/envoy/security/advisories/GHSA-7wp5-c2vq-4f8m

Restart Required: Yes

Instructions:

1. Update Envoy to patched version (1.30.3, 1.29.6, 1.28.8, or 1.27.10). 2. Restart Envoy service. 3. Verify the new version is running.

🔧 Temporary Workarounds

Disable Brotli filter

all

Temporarily disable Brotli compression filter in Envoy configuration

Remove or comment out Brotli filter configuration in envoy.yaml

Input validation

all

Implement upstream validation of Brotli data before it reaches Envoy

🧯 If You Can't Patch

  • Disable Brotli filter in Envoy configuration immediately
  • Implement network controls to limit who can send Brotli data to Envoy

🔍 How to Verify

Check if Vulnerable:

Check Envoy version and verify Brotli filter is enabled in configuration

Check Version:

envoy --version

Verify Fix Applied:

Confirm Envoy version is 1.30.3, 1.29.6, 1.28.8, or 1.27.10 or higher

📡 Detection & Monitoring

Log Indicators:

  • High CPU usage spikes
  • Process hanging or restarting
  • Brotli decompression errors

Network Indicators:

  • Unusual Brotli traffic patterns
  • Service unavailability on Envoy ports

SIEM Query:

source="envoy" AND ("brotli" OR "decompression") AND ("error" OR "high_cpu" OR "restart")

📊 Metadata

CVE ID: CVE-2024-32976
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-835
Published: June 4, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-32976, you might also want to check these:

CVE-2021-42143 9.1

This vulnerability in Contiki-NG tinyDTLS allows remote attackers to cause denial of service and pot...

Same vulnerability type (CWE-835)
CVE-2026-25533 8.8

This vulnerability allows attackers to bypass multiple security layers in Enclave, a JavaScript sand...

Same vulnerability type (CWE-835)
CVE-2023-20083 8.6

A vulnerability in Cisco Firepower Threat Defense (FTD) Software's ICMPv6 inspection with Snort 2 al...

Same vulnerability type (CWE-835)