CVE-2024-45807

Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy's 1.31 is using oghttp as the default HTTP/2 codec, and there are potential bugs around stream management in the codec. To resolve this Envoy will switch off the oghttp2 by default. The impact of this issue is that envoy will crash. This issue has been addressed in release version 1.31.2. All users are advised to upgrade. There are no known workarounds for this issue.

Published: Sep 20, 2024
Updated: May 4, 2025
CVE: CVE-2024-45807
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
envoyproxy / envoy	1.31.0	1.31.2

https://github.com/envoyproxy/envoy/security/advisories/GHSA-qc52-r4x5-9w37

Vulnerability Database

289,598

CVE-2024-45807