Path traversal in envoy - CVE-2019-9901
Published: November 8, 2019 / Updated: June 24, 2026
envoy
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass access control.
The vulnerability exists due to path traversal in RBAC, HTTP router, external authorization, and rate limiting components when handling relative path URLs delivered by an untrusted client. A remote attacker can send a specially crafted request path containing relative path segments to bypass access control.
The issue can also affect routing and authorization decisions when a backend normalizes the path differently than Envoy.