{"id":"CVE-2021-41130","details":"Extensible Service Proxy, a.k.a. ESP is a proxy which enables API management capabilities for JSON/REST or gRPC API services. ESPv1 can be configured to authenticate a JWT token. Its verified JWT claim is passed to the application by HTTP header \"X-Endpoint-API-UserInfo\", the application can use it to do authorization. But if there are two \"X-Endpoint-API-UserInfo\" headers from the client, ESPv1 only replaces the first one, the 2nd one will be passed to the application. An attacker can send two \"X-Endpoint-API-UserInfo\" headers, the second one with a fake JWT claim. Application may use the fake JWT claim to do the authorization. This impacts following ESPv1 usages: 1) Users have configured ESPv1 to do JWT authentication with Google ID Token as described in the referenced google endpoint document. 2) Users backend application is using the info in the \"X-Endpoint-API-UserInfo\" header to do the authorization. It has been fixed by v1.58.0. You need to patch it in the following ways: * If your docker image is using tag \":1\", needs to re-start the container to pick up the new version. The tag \":1\" will automatically point to the latest version. * If your docker image tag pings to a specific minor version, e.g. \":1.57\". You need to update it to \":1.58\" and re-start the container. There are no workaround for this issue.","modified":"2026-04-11T18:45:30.775457Z","published":"2021-10-07T19:15:08.843Z","related":["GHSA-43wx-8qmj-9r9q"],"references":[{"type":"ADVISORY","url":"https://github.com/cloudendpoints/esp/security/advisories/GHSA-43wx-8qmj-9r9q"},{"type":"ADVISORY","url":"https://cloud.google.com/endpoints/docs/openapi/authenticating-users-google-id"},{"type":"ADVISORY","url":"https://github.com/cloudendpoints/esp/releases/tag/v1.58.0"},{"type":"FIX","url":"https://github.com/cloudendpoints/esp/commit/e310c4f91d229a072507f80c73811489b4cdff27"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/cloudendpoints/esp","events":[{"introduced":"0"},{"fixed":"55c5c60cebd41550b7479973ad7a024f8ca031b2"},{"fixed":"e310c4f91d229a072507f80c73811489b4cdff27"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.58.0"}]}}],"versions":["0.3.8","0.3.9","v1.10.0","v1.11.0","v1.12.0","v1.13.0","v1.15.0","v1.16.0","v1.2.0","v1.20.0","v1.21.0","v1.22.0","v1.23.0","v1.24.0","v1.26.0","v1.27.0","v1.28.0","v1.29.0","v1.3.0","v1.30.0","v1.31.0","v1.33.0","v1.34.0","v1.35.0","v1.36.0","v1.37.0","v1.38.0","v1.4.0","v1.40.0","v1.41.0","v1.42.0","v1.43.0","v1.44.0","v1.46.0","v1.47.0","v1.5.0","v1.55.0","v1.56.0","v1.57.0","v1.6.0","v1.8.0","v1.9.0"],"database_specific":{"vanir_signatures_modified":"2026-04-11T18:45:30Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-41130.json","vanir_signatures":[{"digest":{"line_hashes":["252299592520253607988299476302700982455","248610505559295528176394314957702295531","317227738951296697058863858163680719761","261829619994639712799105361394936647073"],"threshold":0.9},"target":{"file":"include/api_manager/request.h"},"source":"https://github.com/cloudendpoints/esp/commit/e310c4f91d229a072507f80c73811489b4cdff27","deprecated":false,"id":"CVE-2021-41130-03fc3b1b","signature_version":"v1","signature_type":"Line"},{"digest":{"line_hashes":["103089253687945008137816859079091315449","57528866812672555845746726749972931768","222193775147550499088633174519636472944","139408884480015151975786006559049758453"],"threshold":0.9},"target":{"file":"src/api_manager/request_handler.cc"},"source":"https://github.com/cloudendpoints/esp/commit/e310c4f91d229a072507f80c73811489b4cdff27","deprecated":false,"id":"CVE-2021-41130-0e04870b","signature_version":"v1","signature_type":"Line"},{"digest":{"line_hashes":["40180582710644749667633173662694883634","129580747434126122222113247141326853489","79757806813320707653655341305941327183","113140239591170886862975830604449606186","179443316010782707869359302177954648216"],"threshold":0.9},"target":{"file":"src/api_manager/context/client_ip_extraction_test.cc"},"source":"https://github.com/cloudendpoints/esp/commit/e310c4f91d229a072507f80c73811489b4cdff27","deprecated":false,"id":"CVE-2021-41130-1eb0e0fe","signature_version":"v1","signature_type":"Line"},{"digest":{"length":1359,"function_hash":"70660443424170074453660226878901939687"},"target":{"function":"CheckAuthTest::TestValidToken","file":"src/api_manager/check_auth_test.cc"},"source":"https://github.com/cloudendpoints/esp/commit/e310c4f91d229a072507f80c73811489b4cdff27","deprecated":false,"id":"CVE-2021-41130-4524aa09","signature_version":"v1","signature_type":"Function"},{"digest":{"line_hashes":["273194342846113705585364086021552446287","75578103592312464274331218795206130976","213316359649160174181370330221723769841","124285692801040372300669983042502547792","191957608709753492315192367144684585237","157503054261825167032896249816530441106","177461145267599042349083594045097357167","297496602830915671545076335022504587327","163844129952166203095878708708579506538","121981586546568691793722684703108695605","154100247305967973252642800771164203980","310917885622754471010294987415862439510","331281844039084445166642735590479862923","181493525565562107727016143056959279665","221832630133309296006978331479859080932","302522287934114089433665212366648391059","1810982064106098176294479025968343671","279712875281089011610534689990858916796","103963470071564193428273125947912129240","92045183861454617745757908552589344029","186322133010321617451158839454224479514","50242325865326987575206795976861350172","103772171830738870288327866827004724540","153737777796121030273712820158124369630","102114681163685396643097775864277838420","61422471775798196078807954871481993077"],"threshold":0.9},"target":{"file":"src/nginx/request.cc"},"source":"https://github.com/cloudendpoints/esp/commit/e310c4f91d229a072507f80c73811489b4cdff27","deprecated":false,"id":"CVE-2021-41130-5da443f2","signature_version":"v1","signature_type":"Line"},{"digest":{"line_hashes":["199661318353406484167738561063535390747","47478523884108383931197297436545999302","69465198097250853560295093351751952550","288797171835950172328806770888900207773","130981369790235362577931143511872893993","286964953872384455258138368751357756406"],"threshold":0.9},"target":{"file":"src/api_manager/check_service_control.cc"},"source":"https://github.com/cloudendpoints/esp/commit/e310c4f91d229a072507f80c73811489b4cdff27","deprecated":false,"id":"CVE-2021-41130-7155199d","signature_version":"v1","signature_type":"Line"},{"digest":{"length":260,"function_hash":"120904301598098223398345863961748157606"},"target":{"function":"check_workflow_","file":"src/api_manager/request_handler.cc"},"source":"https://github.com/cloudendpoints/esp/commit/e310c4f91d229a072507f80c73811489b4cdff27","deprecated":false,"id":"CVE-2021-41130-824a4de0","signature_version":"v1","signature_type":"Function"},{"digest":{"length":487,"function_hash":"153171212618605172523470740891956953442"},"target":{"function":"AuthChecker::PassUserInfoOnSuccess","file":"src/api_manager/check_auth.cc"},"source":"https://github.com/cloudendpoints/esp/commit/e310c4f91d229a072507f80c73811489b4cdff27","deprecated":false,"id":"CVE-2021-41130-88d1c33d","signature_version":"v1","signature_type":"Function"},{"digest":{"length":1004,"function_hash":"200869581475123735993262261928253439004"},"target":{"function":"TEST_F","file":"src/api_manager/check_auth_test.cc"},"source":"https://github.com/cloudendpoints/esp/commit/e310c4f91d229a072507f80c73811489b4cdff27","deprecated":false,"id":"CVE-2021-41130-8b11673b","signature_version":"v1","signature_type":"Function"},{"digest":{"length":542,"function_hash":"194656220474211919318833233523308925791"},"target":{"function":"RequestContext::StartBackendSpanAndSetTraceContext","file":"src/api_manager/context/request_context.cc"},"source":"https://github.com/cloudendpoints/esp/commit/e310c4f91d229a072507f80c73811489b4cdff27","deprecated":false,"id":"CVE-2021-41130-8de04600","signature_version":"v1","signature_type":"Function"},{"digest":{"line_hashes":["156763601970778594089670826451538877310","164569280114907739439158198890037041221","134495384703724863499620142923817933887","174266110874575389579116051652295037744"],"threshold":0.9},"target":{"file":"src/api_manager/check_auth.cc"},"source":"https://github.com/cloudendpoints/esp/commit/e310c4f91d229a072507f80c73811489b4cdff27","deprecated":false,"id":"CVE-2021-41130-9966616b","signature_version":"v1","signature_type":"Line"},{"digest":{"line_hashes":["124555775050186960473444525736434112541","87956929436607818709267142385317192772","235316682392370544772653880151432570847","318446486927011715873710970011942586419","301061032907837933390599384616823680997"],"threshold":0.9},"target":{"file":"src/api_manager/mock_request.h"},"source":"https://github.com/cloudendpoints/esp/commit/e310c4f91d229a072507f80c73811489b4cdff27","deprecated":false,"id":"CVE-2021-41130-9ea99476","signature_version":"v1","signature_type":"Line"},{"digest":{"line_hashes":["268557008247647403069910143145655387670","123208326389277014211541663463708714016","70247440695724784152739511634001274559","305995428250267423201561448354776443700","133650305765493911584888931324277147000","236703638891815106614579422885455303579","197465051832478868523698529580782688281","242606095202304975276799361496756919418","220920585778604497943435673097724463160","264841444507472038154634199411757364443","225583033442034394493085448150182157424","123179324701565035031392537874864341740","150460308205968684534856279625421189756","236140646073989733671730159656841726850","302461205799753051445955230092226699193","57112194187637446248261498324719739119","58829472313193280049382598770082536130","68292068359203861530166342547526691991","134811942775173899220273855476063794859","219248169257693709034002634629768178721","237029341373741985882515097146900290602","263736118670371286378813463674248650501","96521176151311858773600721623055582987","132502329913308101805401509837840037810","28140113725366921053919008788260525061","241445852103753364234919194421385055538","226954586919203438851625700279956642990"],"threshold":0.9},"target":{"file":"src/api_manager/context/request_context.cc"},"source":"https://github.com/cloudendpoints/esp/commit/e310c4f91d229a072507f80c73811489b4cdff27","deprecated":false,"id":"CVE-2021-41130-a1494bfb","signature_version":"v1","signature_type":"Line"},{"digest":{"line_hashes":["300119219885327139018461051672314803009","337533291503229458590404377686864739512","139366199344688441814086521608115372964","85301578765280906918261503244636984123","246687342681984053806172157003498406689","134340592871228967635213229674730594500","56177407532921156374502173849913931461","160194392783416061026129546712681709080","10940267128672146297807645781573271175","160404830798029446371374970549594820475","49140582215005592988523955241051336470","109740612534665862525889148847148583257","270775805351086202524836436840829979913","300753368704880297024072667485250482931","47474681906262376659959024685575757389","173689642430977657500433355265718252255","308529050154063505659666420572318005720","291494427979477733197722163514763012739","63253837465277945949487250440565044829"],"threshold":0.9},"target":{"file":"src/api_manager/check_auth_test.cc"},"source":"https://github.com/cloudendpoints/esp/commit/e310c4f91d229a072507f80c73811489b4cdff27","deprecated":false,"id":"CVE-2021-41130-a9ea2b7c","signature_version":"v1","signature_type":"Line"},{"digest":{"length":1229,"function_hash":"273504356146866837069438321135313695602"},"target":{"function":"NgxEspRequest::AddHeaderToBackend","file":"src/nginx/request.cc"},"source":"https://github.com/cloudendpoints/esp/commit/e310c4f91d229a072507f80c73811489b4cdff27","deprecated":false,"id":"CVE-2021-41130-b3fc5d79","signature_version":"v1","signature_type":"Function"},{"digest":{"length":1837,"function_hash":"55000361284885886160252975262586210432"},"target":{"function":"TEST_F","file":"src/api_manager/check_auth_test.cc"},"source":"https://github.com/cloudendpoints/esp/commit/e310c4f91d229a072507f80c73811489b4cdff27","deprecated":false,"id":"CVE-2021-41130-de94b3a4","signature_version":"v1","signature_type":"Function"},{"digest":{"line_hashes":["340277736093740716423926175960361932002","219854530106350367519264802028751092444","32973727138982213779997415781439563347","156392869259015074243303489436519827497"],"threshold":0.9},"target":{"file":"src/nginx/request.h"},"source":"https://github.com/cloudendpoints/esp/commit/e310c4f91d229a072507f80c73811489b4cdff27","deprecated":false,"id":"CVE-2021-41130-eb63060f","signature_version":"v1","signature_type":"Line"},{"digest":{"length":834,"function_hash":"273341284600782350224804379278849970831"},"target":{"function":"RequestContext::AddInstanceIdentityToken","file":"src/api_manager/context/request_context.cc"},"source":"https://github.com/cloudendpoints/esp/commit/e310c4f91d229a072507f80c73811489b4cdff27","deprecated":false,"id":"CVE-2021-41130-f2d085dd","signature_version":"v1","signature_type":"Function"},{"digest":{"length":120,"function_hash":"255050036760865819852197525538080882456"},"target":{"function":"RequestContext::SetApiKeyHeader","file":"src/api_manager/context/request_context.cc"},"source":"https://github.com/cloudendpoints/esp/commit/e310c4f91d229a072507f80c73811489b4cdff27","deprecated":false,"id":"CVE-2021-41130-f4988531","signature_version":"v1","signature_type":"Function"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"}]}