Researchers have discovered a denial-of-service (DoS) vulnerability in Envoy Proxy, which gives attackers the opportunity to crash the proxy server.

This could lead to performance degradation or unavailability of resources handled by the proxy, according to JFrog Security Research, which disclosed the vulnerability (CVE-2022-29225).

Envoy is a widely used open source edge and service proxy server designed for cloud-native applications and high-traffic websites. It can decompress both GZip and Brotli data (two compression formats), but it doesn’t implement a size limit for the output buffer for the latter, JFrog found. This means that a near-unlimited amount of data could clog the buffer if attacked by a “zip bomb” — i.e., a malicious archive file designed to crash or render useless a program or system.