Heimdall is a cloud-native Identity Aware Proxy and Access Control Decision service that integrates with Envoy via a gRPC decision API. In versions 0.7.0-alpha through 0.17.10, Heimdall mishandles URL query strings when operating in Envoy gRPC decision API mode. Envoy splits the requested URL into components and sends them separately to Heimdall, where the query field is documented as always empty and the full URL query is included in the path field. Heimdall uses Go's standard url library to reconstruct the URL, which automatically percent-encodes special characters in the path segment. For example, a URL path like /mypath?foo=bar is encoded as /mypath%3Ffoo=bar. This encoding causes path-based access control rules that expect /mypath to fail to match, effectively bypassing those rules. The vulnerability can lead to unauthorized access if Heimdall is configured with an "allow all" default rule, which is insecure. Since version 0.16.0, Heimdall enforces secure defaults by refusing to start with such a configuration unless explicitly overridden via flags like --insecure-skip-secure-default-rule-enforcement or --insecure. The issue was addressed and fixed in version 0.17.11. The CVSS v3.1 score is 8.2 (high), reflecting network attack vector, low attack complexity, no privileges or user interaction required, and impacts on confidentiality and integrity but not availability. No known exploits are currently reported in the wild.

This vulnerability can allow attackers to bypass path-based access control rules in Heimdall, potentially granting unauthorized access to protected resources. The impact primarily affects confidentiality and integrity of access control decisions, as unauthorized users may gain access to sensitive services or data. Availability is not impacted. The risk is significant in environments where Heimdall is deployed as a critical identity-aware proxy controlling access to cloud-native applications and services. Organizations using vulnerable versions with insecure default configurations are at higher risk. Exploitation requires no authentication or user interaction and can be performed remotely over the network, increasing the threat surface. However, secure default configurations in recent versions mitigate the risk unless explicitly disabled. Failure to patch or properly configure Heimdall could lead to unauthorized data exposure, privilege escalation, and potential lateral movement within enterprise networks.

1. Upgrade Heimdall to version 0.17.11 or later to apply the official fix for this vulnerability. 2. Avoid using insecure default configurations; do not disable secure default rule enforcement unless absolutely necessary and fully understood. 3. Review and audit all access control rules to ensure they do not rely solely on path matching that could be bypassed by URL encoding issues. 4. Implement additional layers of access control and monitoring around Heimdall to detect anomalous access patterns. 5. Use network segmentation and zero trust principles to limit the impact of any potential bypass. 6. Regularly update and patch Heimdall and related components to incorporate security improvements. 7. Conduct penetration testing and vulnerability assessments focusing on URL encoding and access control logic. 8. Monitor Heimdall logs for unusual requests that include encoded query strings in paths. 9. Educate DevOps and security teams about the risks of disabling secure defaults and the importance of proper URL handling in access control.