Monthly
Denial of service in Envoy proxy versions prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1 allows remote unauthenticated attackers to crash the proxy by submitting deeply nested JSON (on the order of 100,000 levels). When the resulting JSON Object is torn down, its recursive destructor exhausts the thread stack, causing a stack overflow and process termination. There is no public exploit identified at time of analysis and the issue impacts availability only; the CVSS 3.1 base score is 7.5.
Denial of service in Envoy proxy versions prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1 allows remote unauthenticated attackers to crash the proxy by submitting deeply nested JSON (on the order of 100,000 levels). When the resulting JSON Object is torn down, its recursive destructor exhausts the thread stack, causing a stack overflow and process termination. There is no public exploit identified at time of analysis and the issue impacts availability only; the CVSS 3.1 base score is 7.5.