Input validation error in envoy - CVE-2019-9900
Published: November 8, 2019 / Updated: June 24, 2026
envoy
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass access controls and gain access to unauthorized resources.
The vulnerability exists due to improper input validation in HTTP/1.x header parsing and header matching logic when processing HTTP/1.x requests with header values containing embedded NUL characters. A remote attacker can send a specially crafted HTTP request with embedded NUL characters in header values to bypass access controls and gain access to unauthorized resources.
The issue affects HTTP/1.x traffic and exploitation depends on configurations that use header-based access control, authorization, routing, or rate limiting decisions.