* [Blog](https://www2.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www2.paloaltonetworks.com/blog/corporate/)
* [Secure the Cloud](https://www2.paloaltonetworks.com/blog/category/secure-the-cloud/)
* Recent Vulnerabilities in...

# Recent Vulnerabilities in Envoy Explained, Including Impact to Istio

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2019%2F12%2Fcloud-envoy-vulnerabilities%2F)  
[](https://twitter.com/share?text=Recent+Vulnerabilities+in+Envoy+Explained%2C+Including+Impact+to+Istio&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2019%2F12%2Fcloud-envoy-vulnerabilities%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2019%2F12%2Fcloud-envoy-vulnerabilities%2F&title=Recent+Vulnerabilities+in+Envoy+Explained%2C+Including+Impact+to+Istio&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/2019/12/cloud-envoy-vulnerabilities/&ts=markdown)  
\[\](mailto:?subject=Recent Vulnerabilities in Envoy Explained, Including Impact to Istio)  
Link copied  
By [Aviv Sasson](https://www.paloaltonetworks.com/blog/author/aviv-sasson/?ts=markdown "Posts by Aviv Sasson")  
Dec 19, 2019  
4 minutes  
[Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)  
[Envoy](https://www.paloaltonetworks.com/blog/tag/envoy/?ts=markdown)  
[Istio](https://www.paloaltonetworks.com/blog/tag/istio/?ts=markdown)  
[Vulnerabilities](https://www.paloaltonetworks.com/blog/tag/vulnerabilities/?ts=markdown)

On Dec. 10, three vulnerabilities in the [Envoy proxy](https://www.envoyproxy.io/) were made public, one of which was classified as "high severity" and two as "medium severity," affecting all versions up to and including Envoy 1.12.1.

Istio, which relies on Envoy, is also directly affected by these issues. The vulnerabilities may affect many Kubernetes deployments using Envoy, including many that are managed by cloud providers. On Dec. 13, Google issued an email alert to all its Google Kubernetes Engine (GKE) users, urging them to upgrade all Envoy instances in their clusters. In this article, I will shed more light on these three issues, their impact and how they were fixed. I'll also present a proof-of-concept video of a full bypass of Envoy rules.

Before diving into the details, let's go over the fundamentals of the affected components:

**Service Mesh**

A service mesh is a transparent software infrastructure layer designed to improve networking between microservices. The service mesh ensures communication is fast, reliable and secure. It provides useful capabilities such as load balancing, traceability, encryption and more.

**Envoy**

Envoy is a high-performance proxy designed for cloud-native applications. It was originally developed by the engineers at Lyft, and it grew to become open sourced and graduated to be a Cloud Native Computing Foundation ([CNCF](https://www.cncf.io/projects/)) project. Additionally, it is a key component in the most popular service mesh -- Istio.

**Istio**

Istio is a service mesh, originally developed by Google, IBM and Lyft. It uses Envoy as a sidecar proxy, which means every microservice or pod has an Envoy running beside it and all the communication in the cluster goes through these sidecar components.

**CVE-2019-18838 -- Denial of Service and Potentially Other Issues**

Envoy can be customizable with different encoding filters. If it is configured with an encoder, containing a specific router manager API call, and it receives an HTTP request without the "Host" header, it will send back an "Invalid request" response. This response is dispatched through the configured encoder filter chain before being sent to the client. If an encoder filter access requests "Host" header, it will cause a NULL pointer to be dereferenced and result in abnormal behavior of Envoy.

It may cause Envoy to fail and crash, but under certain circumstances, an attacker may be able to craft an exploit even more dangerous and execute code on Envoy instances.

**CVE-2019-18801 -- Heap Overflow**

Envoy can be configured to accept HTTP 1, and while doing so, it assumes that all the HTTP header value sizes are less than 4KB. However, in HTTP 2 there are no restrictions on the size of the values, and as a result, untrusted input can overflow the buffer allocated for the encoding of the headers and crash Envoy.

So far, an RCE exploit was not published, but a proof-of-concept exists in which two malicious requests are able to result in bypassing Envoy's access control.

**CVE-2019-18802 -- Policy Bypass and Potentially Other Issues**

The security problem here is that Envoy's parser incorrectly fails to trim whitespace after the HTTP header value. This can result in many security issues like policy bypass, privilege escalation or information disclosure. For example, one of Envoy's features is the ability to reject HTTP requests by filtering the hostname header. The problem is that Envoy will treat "forbiddenSite\[.\]com " as a different string from "forbiddenSite\[.\]com" (notice the space character after the dot com) and forward the request instead of denying it. After that, the HTTP server will trim the whitespace to send a response.

**Proof of Concept**

**Mitigation**

On the same day the vulnerabilities were disclosed, Envoy released version 1.12.2, which contained the fixes for these issues. Istio released version 1.4.2, which contained the new Envoy as the sidecar proxy.

Although all these vulnerabilities require special configuration to successfully exploit, I would still highly recommend all Envoy and Istio users upgrade their instances to the latest versions as fast as possible. This is not just because these vulnerabilities can lead to a denial of service, but because their impact is not yet fully understood, and some exploits can potentially lead to much more damage. In a worst-case scenario, this could even potentially lead to a remote code execution.

The original advisories can be found on [Envoy's Github security page](https://github.com/envoyproxy/envoy/security/advisories).

*** ** * ** ***

## Related Blogs

### [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Analysis of Two Newly Patched Kubernetes Vulnerabilities](https://www2.paloaltonetworks.com/blog/2019/10/cloud-kubernetes-vulnerabilities/)

### [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Kubernetes -- Vulnerable to Denial-of-Service Attacks](https://www2.paloaltonetworks.com/blog/2019/08/cloud-kubernetes-vulnerable-denial-service-attacks/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### How Cortex Defends Against Microsoft SharePoint "ToolShell" Exploits](https://www2.paloaltonetworks.com/blog/security-operations/how-cortex-defends-against-microsoft-sharepoint-toolshell-exploits/)

### [Web Application \& API Security](https://www.paloaltonetworks.com/blog/cloud-security/category/web-application-api-security/?ts=markdown)

[#### Analyzing CVE-2023-50164: Apache Struts Path Traversal Vulnerability](https://www2.paloaltonetworks.com/blog/cloud-security/cve-2023-50164-custom-rules/)

### [CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Streamline Risk Management with Context-Based Risk Prioritization](https://www2.paloaltonetworks.com/blog/cloud-security/risk-prioritization-remediation/)

### [Cloud Native Application Protection Platform](https://www.paloaltonetworks.com/blog/category/cloud-native-application-protection-platforms/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown)

[#### Fixing Issues from Code to Cloud in One Place](https://www2.paloaltonetworks.com/blog/cloud-security/remediate-runtime-source-code/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language