Skip to content

fix(dashmate): bump Envoy gateway to 1.35.11 for HTTP/2 DoS (CVE-2026-47774)#3790

Closed
shumkov wants to merge 2 commits into
v3.1-devfrom
fix/dashmate-envoy-http2-dos
Closed

fix(dashmate): bump Envoy gateway to 1.35.11 for HTTP/2 DoS (CVE-2026-47774)#3790
shumkov wants to merge 2 commits into
v3.1-devfrom
fix/dashmate-envoy-http2-dos

Conversation

@shumkov

@shumkov shumkov commented Jun 4, 2026

Copy link
Copy Markdown
Collaborator

Issue being fixed or feature implemented

The Platform Gateway pins dashpay/envoy:1.30.2-impr.1 (Envoy 1.30.x), affected by GHSA-22m2-hvr2-xqc8 (CVE-2026-47774, CVSS 7.5 High) — an unauthenticated HTTP/2 downstream memory-exhaustion DoS: cookie header bytes bypass max_request_headers_kb, and HPACK decode amplification expands small encoded headers into large decoded ones. The 1.30 line is EOL (no backport).

What was done?

Moved the gateway to the patched dashpay/envoy:1.35.11-impr.1. Of the advisory's fix versions (1.35.11 / 1.36.7 / 1.37.3 / 1.38.1), only 1.35.11 is published upstream so far, and it's the smallest jump from 1.30 (lowest config-deprecation risk).

  • Bumped the base config default gateway image.
  • Added a 4.0.0-beta.3 config migration resetting the gateway image to the patched default for existing nodes. The pre-existing reset (migration 1.0.0-dev.12) only runs for fromVersion < 3.0.0, so configs created on 3.0.0 .. 4.0.0-beta.2 would otherwise stay on the vulnerable 1.30 image.
  • Updated docs/config/gateway.md and docs/update.md.

Migration key note: keyed 4.0.0-beta.3 (assumed next release). The semver gate covers everyone on ≤ 4.0.0-beta.2 regardless, but if the next release is named differently, retarget the key to match.

⚠️ Depends on the patched image being published first

This pin won't pull until dashpay/docker-envoy publishes dashpay/envoy:1.35.11-impr.1:

Do not merge this before dashpay/envoy:1.35.11-impr.1 exists on Docker Hub.

How Has This Been Tested?

Added a regression test in migrateConfigFileFactory.spec.js pinning the migration for the 3.0.0..4.0.0-beta.2 cohort. Verified red→green (base bump in place, migration toggled):

✖ before migration: expected 'dashpay/envoy:1.30.2-impr.1' to equal 'dashpay/envoy:1.35.11-impr.1'
✔ after migration

Full migrateConfigFileFactory suite passes (existing full-migration test still green), eslint clean.

Breaking Changes

None.

Checklist:

  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have added or updated relevant unit/integration/functional/e2e tests
  • I have added "!" to the title and described breaking changes in the corresponding section if my code contains any
  • I have made corresponding changes to the documentation if needed

For repository code-owners and collaborators only

  • I have assigned this pull request to a milestone

Summary by CodeRabbit

Release Notes

  • Chores
    • Updated Platform Gateway Docker image to a newer version.
    • Added configuration migration for version 4.0.0-beta.3 to manage gateway component updates.
    • Updated documentation and added test coverage for the migration.

…-47774)

The Platform Gateway runs dashpay/envoy:1.30.2-impr.1 (Envoy 1.30.x),
affected by GHSA-22m2-hvr2-xqc8 / CVE-2026-47774 (CVSS 7.5): an
unauthenticated HTTP/2 downstream memory-exhaustion DoS — cookie header
bytes bypass max_request_headers_kb and HPACK decode amplification
expands small encoded headers into large decoded ones.

The 1.30 line is EOL. Of the advisory's fix versions
(1.35.11/1.36.7/1.37.3/1.38.1) only 1.35.11 is published upstream so far,
so the patched image is dashpay/envoy:1.35.11-impr.1.

- Bump the base config default gateway image.
- Add a 4.0.0-beta.3 config migration that resets the gateway image to
  the patched default for existing configs. The pre-existing reset at
  migration 1.0.0-dev.12 only runs for fromVersion < 3.0.0, so configs
  created on 3.0.0..4.0.0-beta.2 would otherwise stay on the vulnerable
  1.30 image.
- Update the gateway/update docs.

Regression test pins the migration for the 3.0.0..4.0.0-beta.2 cohort.
Test would have caught this in CI (migrateConfigFileFactory.spec.js):
  ✖ before migration: expected 'dashpay/envoy:1.30.2-impr.1' to equal
    'dashpay/envoy:1.35.11-impr.1'
  ✔ after migration

Requires dashpay/docker-envoy to publish dashpay/envoy:1.35.11-impr.1
(base-image bump: shumkov/docker-envoy@fix/bump-envoy-1.35.11-cve-2026-47774).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@shumkov
shumkov requested a review from QuantumExplorer as a code owner June 4, 2026 04:59
@coderabbitai

coderabbitai Bot commented Jun 4, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0719c38d-843f-4999-9562-35c6ccddd160

📥 Commits

Reviewing files that changed from the base of the PR and between 9eca622 and a723981.

⛔ Files ignored due to path filters (1)
  • packages/dashmate/templates/platform/gateway/envoy.yaml.dot is excluded by !**/*.dot
📒 Files selected for processing (5)
  • packages/dashmate/configs/defaults/getBaseConfigFactory.js
  • packages/dashmate/configs/getConfigFileMigrationsFactory.js
  • packages/dashmate/docs/config/gateway.md
  • packages/dashmate/docs/update.md
  • packages/dashmate/test/unit/config/configFile/migrateConfigFileFactory.spec.js

📝 Walkthrough

Walkthrough

This PR upgrades the Envoy Docker image version used by dashmate from 1.30.2-impr.1 to 1.35.11-impr.1. It updates the default configuration, adds a migration handler for configs from 4.0.0-beta.2 to 4.0.0-beta.3, includes test coverage, and updates all related documentation.

Changes

Envoy Docker Image Upgrade to 1.35.11-impr.1

Layer / File(s) Summary
Default Envoy image update
packages/dashmate/configs/defaults/getBaseConfigFactory.js
Updated platform.gateway.docker.image default from dashpay/envoy:1.30.2-impr.1 to dashpay/envoy:1.35.11-impr.1.
Config migration handler and test
packages/dashmate/configs/getConfigFileMigrationsFactory.js, packages/dashmate/test/unit/config/configFile/migrateConfigFileFactory.spec.js
Added 4.0.0-beta.3 migration that upgrades each configured gateway docker image to the patched default. Includes regression test verifying the migration correctly transitions configs from beta.2, asserting the result matches the newer Envoy tag and is not the vulnerable 1.30.2 version.
Documentation updates
packages/dashmate/docs/config/gateway.md, packages/dashmate/docs/update.md
Updated gateway config documentation and example JSON output to reflect the new dashpay/envoy:1.35.11-impr.1 image tag.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested reviewers

  • QuantumExplorer
  • thepastaclaw

Poem

A rabbit hops through version lands,
Where 1.30 fades to Envoy stands,
1.35 now takes the gate,
Migration scripts make configs great!
✨ Upgraded and documented straight 🐰

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title directly describes the main change: bumping Envoy gateway from 1.30.2 to 1.35.11 to address CVE-2026-47774, which is the core objective of the PR.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/dashmate-envoy-http2-dos

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint install failed. For unrecoverable errors, disable the tool in CodeRabbit configuration.


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@thepastaclaw

thepastaclaw commented Jun 4, 2026

Copy link
Copy Markdown
Collaborator

✅ Review complete (commit a723981)

@thepastaclaw thepastaclaw left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

Targeted security fix bumping the default Envoy gateway image and adding a 4.0.0-beta.3 config migration that resets existing configs missed by the prior 1.0.0-dev.12 cohort (3.0.0..4.0.0-beta.2). Implementation is correct, scoped, well-tested, and follows the codebase's established unconditional-reset convention for migration-driven image bumps (see line 660). Both Codex findings fail validation — one misreads the intentional 'migration activates on current binary' mechanism, the other contradicts the established codebase pattern.

…teway

Verified the gateway Envoy config against Envoy 1.35.11 (`envoy --mode
validate` across all conditional branches: self-signed TLS, rate limiter,
metrics/admin, JSON/file access logs, overload manager): loads clean with
zero deprecation warnings. Two cleanups surfaced by that review:

- Remove `protocol_selection: USE_CONFIGURED_PROTOCOL` from the
  ratelimit_service cluster. It's deprecated and redundant — the cluster
  already pins HTTP/2 via typed_extension_protocol_options /
  explicit_http_config, which takes precedence. Re-validated after removal:
  still "configuration OK", behavior unchanged.
- Bump the injected_resource doc-link comment v1.30.1 -> v1.35.11 to match
  the image bump.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

@thepastaclaw thepastaclaw left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

Targeted CVE fix that bumps the Dashmate Platform Gateway from the vulnerable Envoy 1.30.2-impr.1 to 1.35.11-impr.1 for CVE-2026-47774 / GHSA-22m2-hvr2-xqc8, with a 4.0.0-beta.3 migration covering the 3.0.0..4.0.0-beta.2 cohort missed by the earlier 1.0.0-dev.12 reset. The latest-push delta drops the deprecated protocol_selection: USE_CONFIGURED_PROTOCOL from the ratelimit_service cluster, which is correctly redundant because the same cluster already declares HTTP/2 via typed_extension_protocol_options.explicit_http_config.http2_protocol_options. All agent findings reduce to either documented design intent (the broad migration sweep) or pre-existing concerns unrelated to this PR's scope (plain-text doc table uses old naming across all services; rate-limiter cluster rendering was never test-covered prior to this PR). No in-scope blocking or actionable issues; the only external dependency is the documented Docker Hub publication of dashpay/envoy:1.35.11-impr.1, which the PR description already gates merge on.

@shumkov shumkov closed this Jun 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants