The vulnerability was found by security researcher Imre Rad, who disclosed his findings last week on the Full Disclosure mailing list.

Rad found the vulnerability in Extensible Service Proxy (ESP), an open source, Nginx-based proxy that enables API management capabilities for JSON/REST or gRPC API services. Its features include authentication, monitoring and logging. ESP is a component of Google’s Cloud Endpoints API management system, which is designed for securing, monitoring and analyzing APIs.