Information Disclosure via X-Envoy-External-Address Header

Description

The 'X-Envoy-External-Address' header is added by Envoy Proxy to reflect the external IP address from which a request originates. If exposed to unauthorized clients or in public-facing responses, it can disclose sensitive networking details, including the origin IP or proxy-layer routing logic. Attackers can leverage this information to map your infrastructure, craft targeted attacks aimed at specific nodes, or bypass certain trust-based mechanisms if external IPs are used for allowlisting. Ultimately, revealing this header expands the potential for information leakage and escalates the risk of inbound traffic manipulation or reconnaissance.

Remediation

Remove or sanitize the 'X-Envoy-External-Address' header in production environments. Configure Envoy and any reverse proxies or load balancers to avoid passing this header to clients, ensuring it remains an internal mechanism only. Keep Envoy Proxy and associated services patched and up to date, mitigating known vulnerabilities. Consider using a Web Application Firewall (WAF) or network intrusion detection system to monitor for malicious traffic patterns aiming to exploit IP-based logic. Regularly review your networking and proxy configurations to confirm that no environment-specific details, such as IP addresses or routing rules, are leaked through response headers.

References

Severity

Owasp

Code: A05:2021

Category: Security Misconfiguration

Classification