CVE-2021-39162

Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, can abnormally terminate if an H/2 GOAWAY and SETTINGS frame are received in the same IO event. This can lead to a DoS in the presence of untrusted upstream servers. 0.15.1 contains an upgraded envoy binary with this vulnerability patched. If only trusted upstreams are configured, there is not substantial risk of this condition being triggered.

Published: Sep 10, 2021
Updated: May 4, 2025
CVE: CVE-2021-39162
GHSA: GHSA-gjcg-vrxg-xmgv
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:N/A:P

CWEs:

CWE-754

Affected Software
References

Software	From	Fixed in
envoyproxy / envoy	1.19.0	1.19.0.x
pomerium / pomerium	0.15.0	0.15.0.x
envoyproxy / envoy	-	1.18.4
github.com/pomerium/pomerium	-	0.15.1

https://github.com/envoyproxy/envoy/security/advisories/GHSA-j374-mjrw-vvp8
https://github.com/pomerium/pomerium/security/advisories/GHSA-gjcg-vrxg-xmgv
https://groups.google.com/g/envoy-announce/c/5xBpsEZZDfE/m/wD05NZBbAgAJ

Vulnerability Database

289,599

CVE-2021-39162