Impact
Compliant HTTP/1 service should reject malformed request lines.
There is a possibility that non compliant HTTP/1 service may allow malformed requests, potentially leading to a bypass of security policies.
Affected components
HTTP2/HTTP3.
Attack vector/s
Attackers can send specifically crafted HTTP/2 or HTTP/3 requests to trigger parsing errors on HTTP/1 upstream service.
Description
Envoy does not reject HTTP/2 and HTTP/3 requests with the :method
value which is not a valid token defined in https://www.rfc-editor.org/rfc/rfc9110#section-5.6.2.
In addition to the above, based on https://datatracker.ietf.org/doc/html/rfc9113#section-8.3 and https://datatracker.ietf.org/doc/html/rfc9114#section-4.3.1, HTTP/2 and HTTP/3 requests MUST include exactly one value for the :method
, :scheme
, and :path
pseudo-header fields, unless the request is a CONNECT
request which may omit :scheme
and :path
.
Allowing invalid characters in pseudo headers can result in sending an invalid request line when proxying from HTTP/2 or HTTP/3 client to HTTP/1 upstream service.
Example exploit or proof-of-concept
Send an HTTP/2 or HTTP/3 request with invalid :method
header such as :method: GET /admin
.
Detection
Upstream service receives unexpected privileged requests from Envoy.
Discoverer(s)/Credits
Martin van Kervel Smedshammer mvsmedsh@ifi.uio.no
Impact
Compliant HTTP/1 service should reject malformed request lines.
There is a possibility that non compliant HTTP/1 service may allow malformed requests, potentially leading to a bypass of security policies.
Affected components
HTTP2/HTTP3.
Attack vector/s
Attackers can send specifically crafted HTTP/2 or HTTP/3 requests to trigger parsing errors on HTTP/1 upstream service.
Description
Envoy does not reject HTTP/2 and HTTP/3 requests with the
:method
value which is not a valid token defined in https://www.rfc-editor.org/rfc/rfc9110#section-5.6.2.In addition to the above, based on https://datatracker.ietf.org/doc/html/rfc9113#section-8.3 and https://datatracker.ietf.org/doc/html/rfc9114#section-4.3.1, HTTP/2 and HTTP/3 requests MUST include exactly one value for the
:method
,:scheme
, and:path
pseudo-header fields, unless the request is aCONNECT
request which may omit:scheme
and:path
.Allowing invalid characters in pseudo headers can result in sending an invalid request line when proxying from HTTP/2 or HTTP/3 client to HTTP/1 upstream service.
Example exploit or proof-of-concept
Send an HTTP/2 or HTTP/3 request with invalid
:method
header such as:method: GET /admin
.Detection
Upstream service receives unexpected privileged requests from Envoy.
Discoverer(s)/Credits
Martin van Kervel Smedshammer mvsmedsh@ifi.uio.no