GHSA-ghc4-35x6-crw5
Suggest an improvement- Source
- https://github.com/advisories/GHSA-ghc4-35x6-crw5
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-ghc4-35x6-crw5/GHSA-ghc4-35x6-crw5.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-ghc4-35x6-crw5
- Aliases
- Published
- 2026-03-10T18:30:42Z
- Modified
- 2026-04-13T17:48:41.309584Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N CVSS Calculator
- Summary
- Envoy has RBAC Header Validation Bypass via Multi-Value Header Concatenation
- Details
-
1. Summary
The Envoy RBAC (Role-Based Access Control) filter contains a logic vulnerability in how it validates HTTP headers when multiple values are present for the same header name. Instead of validating each header value individually, Envoy concatenates all values into a single comma-separated string. This behavior allows attackers to bypass RBAC policies—specifically "Deny" rules—by sending duplicate headers, effectively obscuring the malicious value from exact-match mechanisms.
2. Attack Scenario
Consider an environment where an administrator wants to block external access to internal resources using a specific header flag.
Configuration
The Envoy proxy is configured with a Deny rule to reject requests containing the header
internal: true. * Rule Type: Exact Match * Target:internalheader must not equaltrue.The Bypass Logic
Standard Request (Blocked):
- Input:
internal: true - Envoy Processing: Sees string
"true". - Result: Match found. Request Denied.
- Input:
Exploit Request (Bypassed):
- Input:
internal: true internal: true - Envoy Processing: Concatenates values into
"true,true". - Matcher Evaluation: Does
"true,true"equal"true"? No. - Result: The Deny rule fails to trigger. Request Allowed.
- Input:
3. Implications
- RBAC Bypass: Remote attackers can bypass configured access controls.
- Unauthorized Access: Sensitive internal resources or administrative endpoints protected by header-based Deny rules become accessible.
- Risk: High, particularly for deployments relying on "Exact Match" strategies for security blocking.
4. Reproduction Steps
To verify this vulnerability:
- Deploy Envoy: Configure an instance with an RBAC Deny rule that performs an exact match on a specific header (e.g.,
internal: true). - Baseline Test: Send a request containing the header
internal: true.- Observation: Envoy blocks this request (HTTP 403).
- Exploit Test: Send a second request containing the same header twice:
GET /restricted-resource HTTP/1.1 Host: example.com internal: true internal: true- Observation: Envoy allows the request, granting access to the resource.
6. Recommendations
Fix Header Validation Logic: Modify the RBAC filter to validate each header value instance individually. Avoid relying on the concatenated string output of
getAllOfHeaderAsString()for security-critical matching unless the matcher is explicitly designed to parse comma-separated lists.** Examine the DENY role to use a Regex style fix.
Credit: Dor Konis
- Database specific
{ "github_reviewed_at": "2026-03-10T18:30:42Z", "nvd_published_at": "2026-03-10T20:16:35Z", "severity": "HIGH", "cwe_ids": [ "CWE-20", "CWE-863" ], "github_reviewed": true }- References
Affected packages
Go
github.com/envoyproxy/envoy
Package
- Name
- github.com/envoyproxy/envoy
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/envoyproxy/envoy
github.com/envoyproxy/envoy
Package
- Name
- github.com/envoyproxy/envoy
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/envoyproxy/envoy
github.com/envoyproxy/envoy
Package
- Name
- github.com/envoyproxy/envoy
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/envoyproxy/envoy
github.com/envoyproxy/envoy
Package
- Name
- github.com/envoyproxy/envoy
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/envoyproxy/envoy