{"id":"CVE-2021-32780","details":"Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions Envoy transitions a H/2 connection to the CLOSED state when it receives a GOAWAY frame without any streams outstanding. The connection state is transitioned to DRAINING when it receives a SETTING frame with the SETTINGS_MAX_CONCURRENT_STREAMS parameter set to 0. Receiving these two frames in the same I/O event results in abnormal termination of the Envoy process due to invalid state transition from CLOSED to DRAINING. A sequence of H/2 frames delivered by an untrusted upstream server will result in Denial of Service in the presence of untrusted **upstream** servers. Envoy versions 1.19.1, 1.18.4 contain fixes to stop processing of pending H/2 frames after connection transition to the CLOSED state.","aliases":["BIT-envoy-2021-32780"],"modified":"2026-01-30T02:15:40.110838Z","published":"2021-08-24T21:15:09.947Z","related":["GHSA-j374-mjrw-vvp8"],"references":[{"type":"ADVISORY","url":"https://github.com/envoyproxy/envoy/security/advisories/GHSA-j374-mjrw-vvp8"},{"type":"ADVISORY","url":"https://www.envoyproxy.io/docs/envoy/v1.19.0/version_history/version_history"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/envoyproxy/envoy","events":[{"introduced":"345ffe37148b7a35b6e8e04db0300463689e3ff1"},{"fixed":"bef18019d8fc33a4ed6aca3679aff2100241ac5e"}]}],"versions":["v1.18.0","v1.18.1","v1.18.2","v1.18.3"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-32780.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}