CVE-2024-45810 is a vulnerability classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) affecting the Envoy proxy, a widely used cloud-native high-performance edge and service proxy. The flaw occurs in the HTTP asynchronous client component during the execution of the sendLocalReply() function. Specifically, when handling certain conditions such as websocket upgrades and request mirroring, the async client duplicates the HTTP status code and improperly manages the lifecycle of the router and stream objects. The router's onDestroy() method is called on a stream decoder that has already been destroyed due to deferred deletion, causing a use-after-free condition and resulting in a segmentation fault crash. This vulnerability primarily impacts the availability of the Envoy proxy service by causing crashes and denial of service. The issue is particularly relevant when ext_authz filters allow 'upgrade' and 'connection' headers, which are common in websocket and mirrored request scenarios. The vulnerability affects multiple Envoy versions prior to 1.28.7, 1.29.9, 1.30.6, and 1.31.2, where it has been addressed. Exploitation requires network access and low privileges but no user interaction. No known exploits have been reported in the wild, and no effective workarounds exist, making timely patching the only reliable mitigation.

For European organizations, the impact of CVE-2024-45810 is primarily a denial of service risk due to Envoy proxy crashes. Organizations relying on Envoy for edge routing, service mesh, or API gateway functions may experience service interruptions, degraded performance, or outages, affecting business continuity and user experience. This is critical for sectors with high availability requirements such as finance, telecommunications, healthcare, and public services. Since Envoy is often deployed in cloud-native environments and microservices architectures, the vulnerability could cascade, impacting multiple dependent services. Although the vulnerability does not compromise confidentiality or integrity, the availability impact could disrupt critical infrastructure and services. The absence of known exploits reduces immediate risk, but the ease of triggering the crash and lack of workarounds mean that attackers could weaponize this vulnerability to cause denial of service if they gain network access.

The primary mitigation is to upgrade Envoy to one of the patched versions: 1.28.7, 1.29.9, 1.30.6, or 1.31.2 or later. Organizations should audit their deployments to identify affected versions and prioritize patching in environments exposed to untrusted networks. Since no workarounds exist, temporary mitigations could include disabling or restricting the use of ext_authz filters that allow 'upgrade' and 'connection' headers or disabling request mirroring features until patches are applied. Monitoring Envoy logs and metrics for crashes or abnormal restarts can help detect exploitation attempts. Network segmentation and limiting access to Envoy management and data planes can reduce exposure. Additionally, implementing robust service mesh observability and failover mechanisms can mitigate the impact of potential outages caused by this vulnerability.