CVE Catalog

CVE-2026-48743

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.30%

22th percentile — higher than 22% of all known CVEs

Summary

Envoy before versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1 mishandles HTTP/3 requests with a non-zero Content-Length header that are complete at the transport layer (HEADERS with FIN). This results in an upstream HTTP/1 request with unresolved body debt, enabling desynchronization and route bypass.

Risk Assessment

An attacker can bypass Envoy security rules (e.g., path blocking) and send a malicious HTTP/1 request directly to the backend, leading to data integrity and confidentiality breaches.

Recommendation

Immediately upgrade Envoy to version 1.35.11, 1.36.7, 1.37.3, or 1.38.1 depending on your branch. If an upgrade is not possible, consider temporarily disabling HTTP/3 support.

Original NVD description (English source)

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, Envoy can translate a downstream HTTP/3 request that is complete at the transport layer (HEADERS with FIN / headers-only close) but still carries a nonzero Content-Length into a complete upstream HTTP/1 request with unresolved body debt. In an HTTP/1 upstream deployment where the origin replies before reading the declared body and keeps the connection reusable, the beginning of the next Envoy-generated upstream request can be consumed as the first request's body. The remaining bytes are then parsed by the origin as a new HTTP/1 request. This was reproduced as a route-bypass/desync: direct /pwn was denied by Envoy, but the second downstream H3 stream received the response for backend-parsed GET /pwn HTTP/1.1. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS