Cloud Foundry Logo
blog single gear
Security Advisory

CVE-2023-20882: Gorouter pruning via client disconnect resulting in DOS




Cloud Foundry Foundation


A bug in the gorouter process for the versions from 0.262.0 and prior to 0.266.0 of routing-release can lead to a denial of service of applications hosted on Cloud Foundry. Under the right circumstances, when client connections are closed prematurely, gorouter marks the currently selected backend as failed and removes it from the routing pool. It then retries up to two more times on different backends, also marking them as failed and removing them from the routing pool. When done repeatedly, this can remove all backends from an application’s route.

This issue may be mitigated in some environments, depending on the configuration of any load balancing/proxying layers present between the client + gorouter.

Affected Cloud Foundry Products and Versions

Severity is high unless otherwise noted.

  • Routing
    • All versions from 0.262.0 and prior to 0.266.0
  • CF Deployment
    • All versions from 27.4.0 and through 28.2.0


Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:

  • Routing
    • Upgrade all versions to 0.266.0 or greater
    • All other stemcells should be upgraded to the latest version available on
  • CF Deployment
    • Upgrade all versions to 29.0.0 or greater


This issue was responsibly reported by Geoff Franks.


2023-05-22: Initial vulnerability report published.

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR