CVE-2021-43825: 
NixOS vulnerability analysis and mitigation

CVE-2021-43825 is a use-after-free vulnerability discovered in Envoy proxy that occurs when response filters increase response data and the increased data exceeds downstream buffer limits. The vulnerability was disclosed and patched in February 2022, affecting Envoy versions v1.21.0 and earlier. The issue has been assigned a CVSS score of 6.1 (Moderate severity) (GitHub Advisory).

The vulnerability occurs when Envoy tracks the amount of buffered request and response data. While Envoy is designed to abort requests if buffered data exceeds limits by sending 413 or 500 responses, the operation may not abort correctly when the buffer overflows during response processing by the filter chain. This incorrect handling can result in accessing freed memory blocks. The vulnerability has been assigned a CVSS base score of 6.1 with the following metrics: Network attack vector, Low attack complexity, No privileges required, User interaction Required, Changed scope, and Low impact on both integrity and availability (GitHub Advisory).

The primary impact of this vulnerability is potential Denial of Service (DoS) attacks. When exploited, the vulnerability can lead to the application accessing freed memory blocks, which can cause service disruption (GitHub Advisory).

The vulnerability has been patched in Envoy versions 1.18.6, 1.19.3, 1.20.2, and 1.21.1. As a workaround, if upgrading is not immediately possible, users can disable filters that may modify a response body and increase its size (GitHub Advisory, Red Hat Advisory).