Envoy is a popular open source edge and service proxy widely used in cloud-native environments. Because it sits between your users and your backend, the reliability of Envoy is critical for keeping your applications online. In mid-2023, a serious issue was disclosed, tracked as CVE-2023-35943, which could allow an attacker (or even a misconfiguration) to crash Envoy entirely using a subtle maneuver involving HTTP headers.
In this exclusive long read, I’ll explain exactly what happened, how the bug can be triggered, how an attacker could use it, and – most importantly – how you can protect yourself.
What’s the Issue? (In Simple Terms)
CVE-2023-35943 is a vulnerability in how Envoy processes the Origin HTTP header in its CORS filter. If the origin header is _removed_ after Envoy’s decodeHeaders phase but _before_ encodeHeaders, the CORS filter tries to reference it anyway—leading to a segmentation fault (a crash). That means a single buggy request, or a malicious request designed to exploit this, can bring down your proxy and make your services unavailable.
Learn more from the sources
- GitHub Security Advisory (GHSA-4xp3-wfmf-4mvf)
- Envoy commit fixing the issue
- CVE entry on NVD
Understanding the Attack
Let’s take a look under the hood. Envoy’s CORS (Cross-Origin Resource Sharing) filter checks the Origin HTTP header to determine what CORS policy to apply.
encodeHeaders Phase
- The CORS filter tries to reference the now-missing origin header *without checking if it’s still there*.
Minimal Exploit Example
Let’s put it in plain language: if your Envoy configuration or some custom filter *removes* the origin header, you are at risk.
Here’s how someone could exploit it using Envoy’s Lua filter
http_filters:
- name: envoy.filters.http.lua
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
inline_code: |
function envoy_on_request(request_handle)
-- Remove the origin header
request_handle:headers():remove("origin")
end
- name: envoy.filters.http.cors
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.cors.v3.Cors
When a request comes in with an Origin header, this Lua code removes it. The CORS filter then crashes Envoy when it tries to process the missing header.
To simulate this, you could send a simple request
curl -H "Origin: http://evil.com"; http://your-envoy-proxy
If your Lua filter (or other filter) removes the Origin header in between, this request triggers the bug and brings down your proxy.
Real-World Impact
- Denial of Service: This isn’t just a minor bug—an attacker or even a buggy internal filter can take down your API gateway or edge proxy with a single request.
- Cloud Outage Risk: Since many organizations use Envoy in large-scale production, a crash can cascade and cause downtime.
- Low Complexity to Exploit: No authentication or special knowledge is needed; the exploit can be triggered remotely if the right (or wrong!) filter is present.
Do NOT Remove the Origin Header
If you can’t upgrade, never remove the origin header between decode and encode phases in your filter chains. Comment out lines like:
How It Was Fixed
The pull request fixing the issue changes the CORS filter to check if origin exists before using it. If it’s missing, it now gracefully skips CORS handling instead of crashing.
Conclusion
CVE-2023-35943 shows us that even mature, widely used tools like Envoy are vulnerable when assumptions don’t match reality. By understanding the flow of headers and how filters interact, you can protect your infrastructure—and keep your cloud apps online.
Bottom line:
References
- GitHub Security Advisory: GHSA-4xp3-wfmf-4mvf
- Fix Commit on GitHub
- NVD Entry for CVE-2023-35943
Timeline
Published on: 07/25/2023 19:15:00 UTC
Last modified on: 08/02/2023 18:47:00 UTC