Change8

v1.37.3

📦 envoyView on GitHub →
🐛 5 fixes🔧 4 symbols

Summary

Release v1.37.3 includes several security fixes related to HTTP/2 header limits, HMAC verification, and AES-CBC decryption, alongside a fix for a load report shutdown race condition.

Migration Steps

  1. To revert the change where uncompressed cookies count towards header limits, use the runtime flag ``envoy.reloadable_features.http2_include_cookies_in_limits``.

🐛 Bug Fixes

  • http2: HTTP/2 streams are now reset if they violate the configured maximum header list size. Uncompressed cookies now count towards mutable_max_request_headers_kb and max_headers_count limits, protecting against an HPACK cookie-bomb.
  • oauth2: Fixed a timing side-channel in HMAC verification that could leak HMAC secret validity.
  • oauth2: Fixed a crash where AES-CBC decryption of token cookies could spuriously succeed (~1/256) on a secret mismatch, tripping a HeaderString validation assert.
  • http2: Applied nghttp2 CVE-2026-27135 patch.
  • load_report: Fixed a shutdown race with ADS stream by introducing proper gRPC stream cleanup.

Affected Symbols