CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-30157 – Envoy crashes when HTTP ext_proc processes local replies
https://notcve.org/view.php?id=CVE-2025-30157
21 Mar 2025 — Envoy is a cloud-native high-performance edge/middle/service proxy. Prior to 1.33.1, 1.32.4, 1.31.6, and 1.30.10, Envoy's ext_proc HTTP filter is at risk of crashing if a local reply is sent to the external server due to the filter's life time issue. A known situation is the failure of a websocket handshake will trigger a local reply leading to the crash of Envoy. This vulnerability is fixed in 1.33.1, 1.32.4, 1.31.6, and 1.30.10. • https://github.com/envoyproxy/envoy/commit/8eda1b8ef5ba8663d16a737ab99458c039a9b53c • CWE-460: Improper Cleanup on Thrown Exception •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2025-25294 – Envoy Gateway Log Injection Vulnerability
https://notcve.org/view.php?id=CVE-2025-25294
06 Mar 2025 — Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. In all Envoy Gateway versions prior to 1.2.7 and 1.3.1 a default Envoy Proxy access log configuration is used. This format is vulnerable to log injection attacks. If the attacker uses a specially crafted user-agent which performs json injection, then he could add and overwrite fields to the access log. This vulnerability is fixed in 1.3.1 and 1.2.7. • https://github.com/envoyproxy/gateway/commit/8f48f5199cf1bbb9a8ac0695c5171bfef6c9198a • CWE-117: Improper Output Neutralization for Logs •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24030 – Envoy Admin Interface Exposed through prometheus metrics endpoint
https://notcve.org/view.php?id=CVE-2025-24030
23 Jan 2025 — Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. A user with access to the Kubernetes cluster can use a path traversal attack to execute Envoy Admin interface commands on proxies managed by any version of Envoy Gateway prior to 1.2.6. The admin interface can be used to terminate the Envoy process and extract the Envoy configuration (possibly containing confidential data). Version 1.2.6 fixes the issue. As a workaround, the `EnvoyProxy`... • https://github.com/envoyproxy/gateway/commit/3eb3301ab3dbf12b201b47bdb6074d1233be07bd • CWE-419: Unprotected Primary Channel •
CVSS: 8.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-53271 – HTTP/1.1 multiple issues with envoy.reloadable_features.http1_balsa_delay_reset in envoy
https://notcve.org/view.php?id=CVE-2024-53271
18 Dec 2024 — Envoy is a cloud-native high-performance edge/middle/service proxy. In affected versions envoy does not properly handle http 1.1 non-101 1xx responses. This can lead to downstream failures in networked devices. This issue has been addressed in versions 1.31.5 and 1.32.3. Users are advised to upgrade. • https://github.com/envoyproxy/envoy/commit/da56f6da63079baecef9183436ee5f4141a59af8 • CWE-670: Always-Incorrect Control Flow Implementation •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-53270 – HTTP/1: sending overload crashes when the request is reset beforehand in envoy
https://notcve.org/view.php?id=CVE-2024-53270
18 Dec 2024 — Envoy is a cloud-native high-performance edge/middle/service proxy. In affected versions `sendOverloadError` is going to assume the active request exists when `envoy.load_shed_points.http1_server_abort_dispatch` is configured. If `active_request` is nullptr, only onMessageBeginImpl() is called. However, the `onMessageBeginImpl` will directly return ok status if the stream is already reset leading to the nullptr reference. The downstream reset can actually happen during the H/2 upstream reset. • https://github.com/envoyproxy/envoy/pull/37743/commits/6cf8afda956ba67c9afad185b962325a5242ef02 • CWE-670: Always-Incorrect Control Flow Implementation •
CVSS: 5.0EPSS: 0%CPEs: 3EXPL: 0CVE-2024-53269 – Happy Eyeballs: Validate that additional_address are IP addresses instead of crashing when sorting in envoy
https://notcve.org/view.php?id=CVE-2024-53269
18 Dec 2024 — Envoy is a cloud-native high-performance edge/middle/service proxy. When additional address are not ip addresses, then the Happy Eyeballs sorting algorithm will crash in data plane. This issue has been addressed in releases 1.32.2, 1.31.4, and 1.30.8. Users are advised to upgrade. Users unable to upgrade may disable Happy Eyeballs and/or change the IP configuration. • https://github.com/envoyproxy/envoy/pull/37743/commits/3f62168d86aceb90f743f63b50cc711710b1c401 • CWE-670: Always-Incorrect Control Flow Implementation •
CVSS: 7.4EPSS: 0%CPEs: 4EXPL: 0CVE-2024-45806 – Potential manipulate `x-envoy` headers from external sources in envoy
https://notcve.org/view.php?id=CVE-2024-45806
19 Sep 2024 — Envoy is a cloud-native high-performance edge/middle/service proxy. A security vulnerability in Envoy allows external clients to manipulate Envoy headers, potentially leading to unauthorized access or other malicious actions within the mesh. This issue arises due to Envoy's default configuration of internal trust boundaries, which considers all RFC1918 private address ranges as internal. The default behavior for handling internal addresses in Envoy has been changed. Previously, RFC1918 IP addresses were aut... • https://github.com/envoyproxy/envoy/security/advisories/GHSA-ffhv-fvxq-r6mf • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45807 – oghttp2 crash on OnBeginHeadersForStream in envoy
https://notcve.org/view.php?id=CVE-2024-45807
19 Sep 2024 — Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy's 1.31 is using `oghttp` as the default HTTP/2 codec, and there are potential bugs around stream management in the codec. To resolve this Envoy will switch off the `oghttp2` by default. The impact of this issue is that envoy will crash. This issue has been addressed in release version 1.31.2. • https://github.com/envoyproxy/envoy/security/advisories/GHSA-qc52-r4x5-9w37 • CWE-670: Always-Incorrect Control Flow Implementation •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-45808 – Malicious log injection via access logs in envoy
https://notcve.org/view.php?id=CVE-2024-45808
19 Sep 2024 — Envoy is a cloud-native high-performance edge/middle/service proxy. A vulnerability has been identified in Envoy that allows malicious attackers to inject unexpected content into access logs. This is achieved by exploiting the lack of validation for the `REQUESTED_SERVER_NAME` field for access loggers. This issue has been addressed in versions 1.31.2, 1.30.6, 1.29.9, and 1.28.7. Users are advised to upgrade. • https://github.com/envoyproxy/envoy/security/advisories/GHSA-p222-xhp9-39rc • CWE-117: Improper Output Neutralization for Logs •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-45809 – Jwt filter crash in the clear route cache with remote JWKs in envoy
https://notcve.org/view.php?id=CVE-2024-45809
19 Sep 2024 — Envoy is a cloud-native high-performance edge/middle/service proxy. Jwt filter will lead to an Envoy crash when clear route cache with remote JWKs. In the following case: 1. remote JWKs are used, which requires async header processing; 2. clear_route_cache is enabled on the provider; 3. header operations are enabled in JWT filter, e.g. header to claims feature; 4. the routing table is configured in a way that the JWT header operations modify requests to not match any route. When these conditions are met, a ... • https://github.com/envoyproxy/envoy/security/advisories/GHSA-wqr5-qmq7-3qw3 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •