Impact
Compliant HTTP/1 service should reject malformed request lines.
There is a possibility that non compliant HTTP/1 service may allow malformed requests, potentially leading to a bypass of security policies.
Affected components
HTTP2/HTTP3.
Attack vector/s
Attackers can send specifically crafted HTTP/2 or HTTP/3 requests to trigger parsing errors on HTTP/1 upstream service.
Description
Envoy does not reject HTTP/2 and HTTP/3 requests with the :method value which is not a valid token defined in https://www.rfc-editor.org/rfc/rfc9110#section-5.6.2.
In addition to the above, based on https://datatracker.ietf.org/doc/html/rfc9113#section-8.3 and https://datatracker.ietf.org/doc/html/rfc9114#section-4.3.1, HTTP/2 and HTTP/3 requests MUST include exactly one value for the :method, :scheme, and :path pseudo-header fields, unless the request is a CONNECT request which may omit :scheme and :path.
Allowing invalid characters in pseudo headers can result in sending an invalid request line when proxying from HTTP/2 or HTTP/3 client to HTTP/1 upstream service.
Example exploit or proof-of-concept
Send an HTTP/2 or HTTP/3 request with invalid :method header such as :method: GET /admin.
Detection
Upstream service receives unexpected privileged requests from Envoy.
Discoverer(s)/Credits
Martin van Kervel Smedshammer mvsmedsh@ifi.uio.no
Impact
Compliant HTTP/1 service should reject malformed request lines.
There is a possibility that non compliant HTTP/1 service may allow malformed requests, potentially leading to a bypass of security policies.
Affected components
HTTP2/HTTP3.
Attack vector/s
Attackers can send specifically crafted HTTP/2 or HTTP/3 requests to trigger parsing errors on HTTP/1 upstream service.
Description
Envoy does not reject HTTP/2 and HTTP/3 requests with the
:methodvalue which is not a valid token defined in https://www.rfc-editor.org/rfc/rfc9110#section-5.6.2.In addition to the above, based on https://datatracker.ietf.org/doc/html/rfc9113#section-8.3 and https://datatracker.ietf.org/doc/html/rfc9114#section-4.3.1, HTTP/2 and HTTP/3 requests MUST include exactly one value for the
:method,:scheme, and:pathpseudo-header fields, unless the request is aCONNECTrequest which may omit:schemeand:path.Allowing invalid characters in pseudo headers can result in sending an invalid request line when proxying from HTTP/2 or HTTP/3 client to HTTP/1 upstream service.
Example exploit or proof-of-concept
Send an HTTP/2 or HTTP/3 request with invalid
:methodheader such as:method: GET /admin.Detection
Upstream service receives unexpected privileged requests from Envoy.
Discoverer(s)/Credits
Martin van Kervel Smedshammer mvsmedsh@ifi.uio.no