Google Cloud Armor packet size bypass

Published Thu, Feb 24th, 2022


Cloud Armor has a documented limitation of 8 KB as the maximum size of web request that it will inspect. The default behavior of Cloud Armor in this case can allow oversized malicious requests to bypass Cloud Armor and directly reach an underlying application. Moreover, Cloud Armor does not warn users of this limitation during policy creation or when configuring rules from within the web UI, and can only find a reference to the 8 KB limit in the [Cloud Armor documentation](

Affected Services

Cloud Armor


A custom rule can be added in Advanced mode - `int(request.headers["content-length"]) >= 8192`, with 502, 403, or 404 HTTP response status in return.

Tracked CVEs

No tracked CVEs


Disclosure Date
Thu, Feb 24th, 2022
Exploitablity Period
Known ITW Exploitation
Detection Methods
Piercing Index Rating
Discovered by
Karan Saini, Riyaz Walikar, Kloudle