7.5
CVE-2026-48743
- EPSS 0.3%
- Veröffentlicht 26.06.2026 17:34:22
- Zuletzt bearbeitet 29.06.2026 18:27:36
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Envoy: HTTP/3 to HTTP/1 request smuggling via headers-only request with nonzero Content-Length
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, Envoy can translate a downstream HTTP/3 request that is complete at the transport layer (HEADERS with FIN / headers-only close) but still carries a nonzero Content-Length into a complete upstream HTTP/1 request with unresolved body debt. In an HTTP/1 upstream deployment where the origin replies before reading the declared body and keeps the connection reusable, the beginning of the next Envoy-generated upstream request can be consumed as the first request's body. The remaining bytes are then parsed by the origin as a new HTTP/1 request. This was reproduced as a route-bypass/desync: direct /pwn was denied by Envoy, but the second downstream H3 stream received the response for backend-parsed GET /pwn HTTP/1.1. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Envoyproxy ≫ Envoy Version >= 1.35.0 < 1.35.13
Envoyproxy ≫ Envoy Version >= 1.36.0 < 1.36.9
Envoyproxy ≫ Envoy Version >= 1.37.0 < 1.37.5
Envoyproxy ≫ Envoy Version >= 1.38.0 < 1.38.3
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.3% | 0.214 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 7.5 | 2.2 | 4.7 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N
|
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.
https://github.com/envoyproxy/envoy/security/advisories/GHSA-8phg-2h2q-jgxf