Skip to content

fix: bump Envoy to v1.35.11 to patch HTTP/2 DoS (CVE-2026-47774)#3

Merged
QuantumExplorer merged 1 commit into
dashpay:masterfrom
shumkov:fix/bump-envoy-1.35.11-cve-2026-47774
Jun 4, 2026
Merged

fix: bump Envoy to v1.35.11 to patch HTTP/2 DoS (CVE-2026-47774)#3
QuantumExplorer merged 1 commit into
dashpay:masterfrom
shumkov:fix/bump-envoy-1.35.11-cve-2026-47774

Conversation

@shumkov

@shumkov shumkov commented Jun 4, 2026

Copy link
Copy Markdown
Contributor

Issue being fixed

The image is built FROM envoyproxy/envoy:v1.30.1, which is affected by GHSA-22m2-hvr2-xqc8 (CVE-2026-47774, CVSS 7.5 High).

It's an unauthenticated HTTP/2 downstream memory-exhaustion DoS:

  • Cookie header bytes are buffered separately and merged after size validation, so they bypass max_request_headers_kb.
  • HPACK/oghttp2 enforces limits on encoded bytes, so a small encoded header block expands to a large decoded one (amplification).

The 1.30 line is EOL — no backport exists there.

What was done

Bumped the base image FROM envoyproxy/envoy:v1.30.1v1.35.11.

Of the advisory's listed fix versions (1.35.11 / 1.36.7 / 1.37.3 / 1.38.1), only v1.35.11 is published upstream so far (released + pushed to Docker Hub 2026-06-03; the others have no GitHub release and aren't on Docker Hub yet — v1.38-latest still points at the vulnerable v1.38.0). It's also the smallest jump from 1.30, so the lowest config-deprecation risk. v1.35.11 is multi-arch (amd64 + arm64), matching the existing build platforms.

The hot-restart wrapper (hot-restarter.py / start_envoy.sh), the python3 install, and the entrypoint are unchanged — only the base tag moves.

⚠️ Follow-up required to actually publish the patched image

Merging this does not publish a new dashpay/envoy image — the release workflow only builds/pushes on a published GitHub release (or workflow_dispatch), deriving the tag from the release tag. A maintainer needs to cut a release tagged v1.35.11-impr.1 (or run the workflow manually with that tag) to produce dashpay/envoy:1.35.11-impr.1.

Once that image exists, the dashmate pin in dashpay/platform (dashpay/envoy:1.30.2-impr.11.35.11-impr.1) is bumped in the companion PR.

Note: the Dockerfile previously pinned v1.30.1 while the published tag was 1.30.2-impr.1 (the image tag comes from the git release tag, not FROM). Pinning FROM to exactly v1.35.11 here keeps the published version number honest.

Summary by CodeRabbit

Release Notes

  • Chores
    • Updated the Docker image base to a newer version of the Envoy proxy.

Envoy v1.30.1 is affected by GHSA-22m2-hvr2-xqc8 (CVE-2026-47774, CVSS
7.5): an unauthenticated HTTP/2 downstream memory-exhaustion DoS where
cookie header bytes bypass `max_request_headers_kb` and HPACK decode
amplification expands small encoded headers into large decoded ones.

The 1.30 line is EOL with no backport. Of the advisory's listed fix
versions (1.35.11 / 1.36.7 / 1.37.3 / 1.38.1), only v1.35.11 is
published upstream so far, so we move to that line — also the smallest
jump, lowest config-deprecation risk. The hot-restart wrapper, scripts,
and entrypoint are unchanged.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jun 4, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 13933e00-c3ff-4224-91d3-34d754c7c9ce

📥 Commits

Reviewing files that changed from the base of the PR and between 14e7fec and 35e2477.

📒 Files selected for processing (1)
  • Dockerfile

📝 Walkthrough

Walkthrough

The Dockerfile is updated to use a newer version of the Envoy proxy base image. The FROM directive is changed from envoyproxy/envoy:v1.30.1 to envoyproxy/envoy:v1.35.11, while all downstream build steps remain unchanged.

Changes

Envoy Version Update

Layer / File(s) Summary
Base Envoy image version update
Dockerfile
The base Docker image tag for Envoy is bumped from v1.30.1 to v1.35.11. All subsequent build steps (Python installation, script copying, and entrypoint configuration) remain unchanged.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

A rabbit hops with glee so bright,
The Envoy proxy shines with light,
From thirty to thirty-five it climbs,
A version bump, not grand designs,
The container's ready, swift and lean! 🐰✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and specifically describes the main change: updating Envoy to v1.35.11 to address a critical HTTP/2 DoS vulnerability (CVE-2026-47774), which matches the changeset's single-line Dockerfile update.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@QuantumExplorer
QuantumExplorer merged commit 38866d8 into dashpay:master Jun 4, 2026
1 check passed
@github-project-automation github-project-automation Bot moved this from In review / testing to Done in Platform team Jun 4, 2026
shumkov added a commit to dashpay/platform that referenced this pull request Jun 4, 2026
…-47774)

The Platform Gateway runs dashpay/envoy:1.30.2-impr.1 (Envoy 1.30.x),
affected by GHSA-22m2-hvr2-xqc8 / CVE-2026-47774 (CVSS 7.5): an
unauthenticated HTTP/2 downstream memory-exhaustion DoS — cookie header
bytes bypass max_request_headers_kb and HPACK decode amplification
expands small encoded headers into large decoded ones. The 1.30 line is
EOL; 1.35.11 is the patched line published upstream.

- Bump the base config default gateway image to dashpay/envoy:1.35.11-impr.1
  (built + published from dashpay/docker-envoy#3; multi-arch, verified to
  contain Envoy 1.35.11).
- Add a 3.0.2 config migration that rewrites only the EOL 1.30.x Envoy image
  to the patched default, leaving deliberately customised images untouched.
  No migration above 3.0.0 touched the gateway image, so v3 configs
  (3.0.0..3.0.1-hotfix.*) would otherwise stay on the vulnerable image.
- Update gateway/update docs.

Config validated against Envoy 1.35.11 (envoy --mode validate, all
conditional branches): loads clean, zero deprecation warnings.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: Done

Development

Successfully merging this pull request may close these issues.

2 participants