CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-23327: Crash in proxy protocol when command type of LOCAL in Envoy

7.5 CVSS

Description

Envoy is a high-performance edge/middle/service proxy. When PPv2 is enabled both on a listener and subsequent cluster, the Envoy instance will segfault when attempting to craft the upstream PPv2 header. This occurs when the downstream request has a command type of LOCAL and does not have the protocol block. This issue has been addressed in releases 1.29.1, 1.28.1, 1.27.3, and 1.26.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Classification

CVE ID: CVE-2024-23327

CVSS Base Severity: HIGH

CVSS Base Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem Types

CWE-476: NULL Pointer Dereference

Affected Products

Vendor: envoyproxy

Product: envoy

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.14% (probability of being exploited)

EPSS Percentile: 35.89% (scored less or equal to compared to others)

EPSS Date: 2025-06-14 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: partial

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2024-23327
https://github.com/envoyproxy/envoy/security/advisories/GHSA-4h5x-x9vh-m29j
https://github.com/envoyproxy/envoy/commit/63895ea8e3cca9c5d3ab4c5c128ed1369969d54a

Timeline

2025-06-09 19:40:21 UTC
CVE

Crash in proxy protocol when command type of LOCAL in Envoy