CVE-2022-29225
- Source
- https://cve.org/CVERecord?id=CVE-2022-29225
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-29225.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2022-29225
- Aliases
-
- BIT-envoy-2022-29225
- GHSA-75hv-2jjj-89hh
- Downstream
- Published
- 2022-06-09T19:15:14Z
- Modified
- 2026-04-17T11:20:12.674149Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- Zip bomb vulnerability in Envoy
- Details
-
Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 secompressors accumulate decompressed data into an intermediate buffer before overwriting the body in the decode/encodeBody. This may allow an attacker to zip bomb the decompressor by sending a small highly compressed payload. Maliciously constructed zip files may exhaust system memory and cause a denial of service. Users are advised to upgrade. Users unable to upgrade may consider disabling decompression.
- Database specific
{ "unresolved_ranges": [ { "source": "AFFECTED_FIELD", "extracted_events": [ { "fixed": "1.22.1" } ] } ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/29xxx/CVE-2022-29225.json", "cwe_ids": [ "CWE-400", "CWE-409" ], "cna_assigner": "GitHub_M" }- References
Affected packages
Git / github.com/envoyproxy/envoy
Affected ranges
- Type
- GIT
- Repo
- https://github.com/envoyproxy/envoy
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixed
- Database specific
{ "cpe": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "source": [ "CPE_FIELD", "REFERENCES" ], "extracted_events": [ { "introduced": "0" }, { "fixed": "1.22.1" } ] }
Affected versions
v1.*
v1.0.0
v1.1.0
v1.10.0
v1.11.0
v1.12.0
v1.13.0
v1.14.0
v1.15.0
v1.16.0
v1.17.0
v1.18.0
v1.18.1
v1.18.2
v1.19.0
v1.2.0
v1.20.0
v1.21.0
v1.22.0
v1.3.0
v1.4.0
v1.5.0
v1.6.0
v1.7.0
v1.8.0
v1.9.0
Database specific
source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-29225.json"
vanir_signatures_modified
"2026-04-17T11:20:12Z"
vanir_signatures
[
{
"deprecated": false,
"signature_type": "Line",
"digest": {
"line_hashes": [
"142780415915752640538624935601648888484",
"320101655249930298485801335548989718314",
"310267022245197416253321284308181236778"
],
"threshold": 0.9
},
"target": {
"file": "test/extensions/compression/zstd/decompressor/zstd_decompressor_impl_test.cc"
},
"source": "https://github.com/envoyproxy/envoy/commit/cb4ef0b09200c720dfdb07e097092dd105450343",
"signature_version": "v1",
"id": "CVE-2022-29225-2bd63fa3"
},
{
"deprecated": false,
"signature_type": "Function",
"digest": {
"function_hash": "76424093164446404733380801547737017729",
"length": 368.0
},
"target": {
"file": "source/extensions/compression/brotli/decompressor/brotli_decompressor_impl.cc",
"function": "BrotliDecompressorImpl::process"
},
"source": "https://github.com/envoyproxy/envoy/commit/cb4ef0b09200c720dfdb07e097092dd105450343",
"signature_version": "v1",
"id": "CVE-2022-29225-4068ea82"
},
{
"deprecated": false,
"signature_type": "Line",
"digest": {
"line_hashes": [
"317091268972786862557656766823788073065",
"340209122308492380688019568976891963637",
"282375181286498142752796218476193840023",
"202978433500286579151994628815775813410",
"76028186394935099532030133875853889760"
],
"threshold": 0.9
},
"target": {
"file": "test/extensions/compression/gzip/compressor_fuzz_test.cc"
},
"source": "https://github.com/envoyproxy/envoy/commit/cb4ef0b09200c720dfdb07e097092dd105450343",
"signature_version": "v1",
"id": "CVE-2022-29225-467eb115"
},
{
"deprecated": false,
"signature_type": "Function",
"digest": {
"function_hash": "67401435546717508420764332581265692453",
"length": 545.0
},
"target": {
"file": "source/extensions/compression/brotli/decompressor/brotli_decompressor_impl.cc",
"function": "BrotliDecompressorImpl::decompress"
},
"source": "https://github.com/envoyproxy/envoy/commit/cb4ef0b09200c720dfdb07e097092dd105450343",
"signature_version": "v1",
"id": "CVE-2022-29225-4d8f71ee"
},
{
"deprecated": false,
"signature_type": "Line",
"digest": {
"line_hashes": [
"125650013560747653251454059167614050045",
"307722277274753234394553073668242189158",
"253412105963027074443487331116062424969",
"64623942650657484631985055160257858105",
"19916289209991940955908538685090475129",
"293788362779959953150114272270729725665",
"162189824944321816762358584244379806640",
"85068327285804573229768579067255969012",
"317693613292349228410123435195037704779",
"327396870597883385523946186865122161932",
"130575896074566802953457517813433775042",
"220818430864592439757786281723058038761",
"75409822564346868074973589349903514995",
"148679501514562171884701499656999643680",
"185768103381123539811200646675851471792"
],
"threshold": 0.9
},
"target": {
"file": "source/extensions/compression/gzip/decompressor/zlib_decompressor_impl.cc"
},
"source": "https://github.com/envoyproxy/envoy/commit/cb4ef0b09200c720dfdb07e097092dd105450343",
"signature_version": "v1",
"id": "CVE-2022-29225-8ae1ca01"
},
{
"deprecated": false,
"signature_type": "Line",
"digest": {
"line_hashes": [
"108657500598533462109365846541086915752",
"212685185898566875514548464033460217453",
"81274260220187976530484627582916611235"
],
"threshold": 0.9
},
"target": {
"file": "test/extensions/compression/gzip/decompressor/zlib_decompressor_impl_test.cc"
},
"source": "https://github.com/envoyproxy/envoy/commit/cb4ef0b09200c720dfdb07e097092dd105450343",
"signature_version": "v1",
"id": "CVE-2022-29225-91a6a951"
},
{
"deprecated": false,
"signature_type": "Line",
"digest": {
"line_hashes": [
"81993476025900949940385867039587322513",
"267346905265921096151921624769888263491",
"299121674200241548467109345434817446507",
"206778934269766804397403671646517338005",
"52550268985546451415786717294425304478",
"219529496982965175681007040775837852502",
"319469537851171107930202822130820819387",
"93797610194673319854187186714410118525",
"330403852844614541926150618702023586519",
"172436123872770838557349199024630358348",
"55609653697132863881479259815228188632",
"300353753042619827135671843331598864484",
"293949540968280903538352693917672011553",
"108587633537507210242609878158511307392"
],
"threshold": 0.9
},
"target": {
"file": "source/extensions/compression/zstd/decompressor/zstd_decompressor_impl.cc"
},
"source": "https://github.com/envoyproxy/envoy/commit/cb4ef0b09200c720dfdb07e097092dd105450343",
"signature_version": "v1",
"id": "CVE-2022-29225-91adfea9"
},
{
"deprecated": false,
"signature_type": "Line",
"digest": {
"line_hashes": [
"246326900051602231549471743654772037167",
"230994992815678701707766192966336701227",
"305258637109499777982615690313269051974",
"131983288448338302006983064715264152659",
"214863495927623727885901324533806918105",
"136429939547830675067632457795008189607"
],
"threshold": 0.9
},
"target": {
"file": "source/extensions/compression/brotli/common/base.h"
},
"source": "https://github.com/envoyproxy/envoy/commit/cb4ef0b09200c720dfdb07e097092dd105450343",
"signature_version": "v1",
"id": "CVE-2022-29225-ae0b4659"
},
{
"deprecated": false,
"signature_type": "Line",
"digest": {
"line_hashes": [
"139991804194267804589808868423117982565",
"324504178428015337583414013371326651247",
"4534965153869730334144625837559458551"
],
"threshold": 0.9
},
"target": {
"file": "test/extensions/compression/brotli/decompressor/brotli_decompressor_impl_test.cc"
},
"source": "https://github.com/envoyproxy/envoy/commit/cb4ef0b09200c720dfdb07e097092dd105450343",
"signature_version": "v1",
"id": "CVE-2022-29225-ae9e0a11"
},
{
"deprecated": false,
"signature_type": "Line",
"digest": {
"line_hashes": [
"84781442741684063772227168653433696253",
"107279065640904548696717261227945599522",
"310679680547316901695614646360648371174",
"24532406953358103474152851365740860171",
"320407170628931933040371262806014235189",
"91932256508740885248798442697112929699",
"61000355425054973582068385904183219029",
"96545474828561871428570754657302876271",
"47333025509601047985341258365420732831",
"125439689789362756409090881221838341125",
"280389092321384179134641332284822411472",
"10624148133356207386557700795884777119",
"239626692865785237577088137546386481109",
"138438466594644698846861145220351280904"
],
"threshold": 0.9
},
"target": {
"file": "source/extensions/compression/brotli/decompressor/brotli_decompressor_impl.cc"
},
"source": "https://github.com/envoyproxy/envoy/commit/cb4ef0b09200c720dfdb07e097092dd105450343",
"signature_version": "v1",
"id": "CVE-2022-29225-b3b7f501"
},
{
"deprecated": false,
"signature_type": "Function",
"digest": {
"function_hash": "143255505943557602724956151138613294060",
"length": 1462.0
},
"target": {
"file": "test/extensions/compression/gzip/compressor_fuzz_test.cc",
"function": "DEFINE_FUZZER"
},
"source": "https://github.com/envoyproxy/envoy/commit/cb4ef0b09200c720dfdb07e097092dd105450343",
"signature_version": "v1",
"id": "CVE-2022-29225-b3da5732"
},
{
"deprecated": false,
"signature_type": "Function",
"digest": {
"function_hash": "248473722445511962385728748609997355778",
"length": 396.0
},
"target": {
"file": "source/extensions/compression/gzip/decompressor/zlib_decompressor_impl.cc",
"function": "ZlibDecompressorImpl::decompress"
},
"source": "https://github.com/envoyproxy/envoy/commit/cb4ef0b09200c720dfdb07e097092dd105450343",
"signature_version": "v1",
"id": "CVE-2022-29225-b61e48d0"
},
{
"deprecated": false,
"signature_type": "Line",
"digest": {
"line_hashes": [
"58554808888801405319427902233014504936",
"5046715161525297909628177102119378649",
"47885853869975323379577247600656699929",
"76823280203307593560276266298140457758",
"318916538532449953856732500011797359645",
"225573830210090813489437319358181169121",
"27076376497445491318703990772064381692"
],
"threshold": 0.9
},
"target": {
"file": "source/extensions/compression/zstd/decompressor/zstd_decompressor_impl.h"
},
"source": "https://github.com/envoyproxy/envoy/commit/cb4ef0b09200c720dfdb07e097092dd105450343",
"signature_version": "v1",
"id": "CVE-2022-29225-bb251ecf"
},
{
"deprecated": false,
"signature_type": "Line",
"digest": {
"line_hashes": [
"84910361421904938133166896610405209487",
"270145974410380213591890412127682521307",
"151308085271142467379973637870694008864",
"139661723424944768460781871138841675863",
"220644878171843580455233134807489860750",
"174605894090564441803838445559241608831"
],
"threshold": 0.9
},
"target": {
"file": "source/extensions/compression/brotli/common/base.cc"
},
"source": "https://github.com/envoyproxy/envoy/commit/cb4ef0b09200c720dfdb07e097092dd105450343",
"signature_version": "v1",
"id": "CVE-2022-29225-bf1a8661"
},
{
"deprecated": false,
"signature_type": "Line",
"digest": {
"line_hashes": [
"288831971304186054491144699900609016407",
"300933110413711864545622256848598338462",
"269216920254889261423265436112459410770",
"6261781105783172812632119669668403012"
],
"threshold": 0.9
},
"target": {
"file": "source/common/runtime/runtime_features.cc"
},
"source": "https://github.com/envoyproxy/envoy/commit/cb4ef0b09200c720dfdb07e097092dd105450343",
"signature_version": "v1",
"id": "CVE-2022-29225-c20c5f83"
},
{
"deprecated": false,
"signature_type": "Function",
"digest": {
"function_hash": "329564167412280202327579603115498949456",
"length": 704.0
},
"target": {
"file": "source/extensions/compression/zstd/decompressor/zstd_decompressor_impl.cc",
"function": "ZstdDecompressorImpl::decompress"
},
"source": "https://github.com/envoyproxy/envoy/commit/cb4ef0b09200c720dfdb07e097092dd105450343",
"signature_version": "v1",
"id": "CVE-2022-29225-ee7878e6"
}
]