CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-30157 – Envoy crashes when HTTP ext_proc processes local replies
https://notcve.org/view.php?id=CVE-2025-30157
21 Mar 2025 — Envoy is a cloud-native high-performance edge/middle/service proxy. Prior to 1.33.1, 1.32.4, 1.31.6, and 1.30.10, Envoy's ext_proc HTTP filter is at risk of crashing if a local reply is sent to the external server due to the filter's life time issue. A known situation is the failure of a websocket handshake will trigger a local reply leading to the crash of Envoy. This vulnerability is fixed in 1.33.1, 1.32.4, 1.31.6, and 1.30.10. • https://github.com/envoyproxy/envoy/commit/8eda1b8ef5ba8663d16a737ab99458c039a9b53c • CWE-460: Improper Cleanup on Thrown Exception •
CVSS: 8.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-53271 – HTTP/1.1 multiple issues with envoy.reloadable_features.http1_balsa_delay_reset in envoy
https://notcve.org/view.php?id=CVE-2024-53271
18 Dec 2024 — Envoy is a cloud-native high-performance edge/middle/service proxy. In affected versions envoy does not properly handle http 1.1 non-101 1xx responses. This can lead to downstream failures in networked devices. This issue has been addressed in versions 1.31.5 and 1.32.3. Users are advised to upgrade. • https://github.com/envoyproxy/envoy/commit/da56f6da63079baecef9183436ee5f4141a59af8 • CWE-670: Always-Incorrect Control Flow Implementation •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-53270 – HTTP/1: sending overload crashes when the request is reset beforehand in envoy
https://notcve.org/view.php?id=CVE-2024-53270
18 Dec 2024 — Envoy is a cloud-native high-performance edge/middle/service proxy. In affected versions `sendOverloadError` is going to assume the active request exists when `envoy.load_shed_points.http1_server_abort_dispatch` is configured. If `active_request` is nullptr, only onMessageBeginImpl() is called. However, the `onMessageBeginImpl` will directly return ok status if the stream is already reset leading to the nullptr reference. The downstream reset can actually happen during the H/2 upstream reset. • https://github.com/envoyproxy/envoy/pull/37743/commits/6cf8afda956ba67c9afad185b962325a5242ef02 • CWE-670: Always-Incorrect Control Flow Implementation •
CVSS: 5.0EPSS: 0%CPEs: 3EXPL: 0CVE-2024-53269 – Happy Eyeballs: Validate that additional_address are IP addresses instead of crashing when sorting in envoy
https://notcve.org/view.php?id=CVE-2024-53269
18 Dec 2024 — Envoy is a cloud-native high-performance edge/middle/service proxy. When additional address are not ip addresses, then the Happy Eyeballs sorting algorithm will crash in data plane. This issue has been addressed in releases 1.32.2, 1.31.4, and 1.30.8. Users are advised to upgrade. Users unable to upgrade may disable Happy Eyeballs and/or change the IP configuration. • https://github.com/envoyproxy/envoy/pull/37743/commits/3f62168d86aceb90f743f63b50cc711710b1c401 • CWE-670: Always-Incorrect Control Flow Implementation •
CVSS: 7.4EPSS: 0%CPEs: 4EXPL: 0CVE-2024-45806 – Potential manipulate `x-envoy` headers from external sources in envoy
https://notcve.org/view.php?id=CVE-2024-45806
19 Sep 2024 — Envoy is a cloud-native high-performance edge/middle/service proxy. A security vulnerability in Envoy allows external clients to manipulate Envoy headers, potentially leading to unauthorized access or other malicious actions within the mesh. This issue arises due to Envoy's default configuration of internal trust boundaries, which considers all RFC1918 private address ranges as internal. The default behavior for handling internal addresses in Envoy has been changed. Previously, RFC1918 IP addresses were aut... • https://github.com/envoyproxy/envoy/security/advisories/GHSA-ffhv-fvxq-r6mf • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45807 – oghttp2 crash on OnBeginHeadersForStream in envoy
https://notcve.org/view.php?id=CVE-2024-45807
19 Sep 2024 — Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy's 1.31 is using `oghttp` as the default HTTP/2 codec, and there are potential bugs around stream management in the codec. To resolve this Envoy will switch off the `oghttp2` by default. The impact of this issue is that envoy will crash. This issue has been addressed in release version 1.31.2. • https://github.com/envoyproxy/envoy/security/advisories/GHSA-qc52-r4x5-9w37 • CWE-670: Always-Incorrect Control Flow Implementation •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-45808 – Malicious log injection via access logs in envoy
https://notcve.org/view.php?id=CVE-2024-45808
19 Sep 2024 — Envoy is a cloud-native high-performance edge/middle/service proxy. A vulnerability has been identified in Envoy that allows malicious attackers to inject unexpected content into access logs. This is achieved by exploiting the lack of validation for the `REQUESTED_SERVER_NAME` field for access loggers. This issue has been addressed in versions 1.31.2, 1.30.6, 1.29.9, and 1.28.7. Users are advised to upgrade. • https://github.com/envoyproxy/envoy/security/advisories/GHSA-p222-xhp9-39rc • CWE-117: Improper Output Neutralization for Logs •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-45809 – Jwt filter crash in the clear route cache with remote JWKs in envoy
https://notcve.org/view.php?id=CVE-2024-45809
19 Sep 2024 — Envoy is a cloud-native high-performance edge/middle/service proxy. Jwt filter will lead to an Envoy crash when clear route cache with remote JWKs. In the following case: 1. remote JWKs are used, which requires async header processing; 2. clear_route_cache is enabled on the provider; 3. header operations are enabled in JWT filter, e.g. header to claims feature; 4. the routing table is configured in a way that the JWT header operations modify requests to not match any route. When these conditions are met, a ... • https://github.com/envoyproxy/envoy/security/advisories/GHSA-wqr5-qmq7-3qw3 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-45810 – Envoy crashes for LocalReply in http async client
https://notcve.org/view.php?id=CVE-2024-45810
19 Sep 2024 — Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy will crash when the http async client is handling `sendLocalReply` under some circumstance, e.g., websocket upgrade, and requests mirroring. The http async client will crash during the `sendLocalReply()` in http async client, one reason is http async client is duplicating the status code, another one is the destroy of router is called at the destructor of the async stream, while the stream is deferred deleted at first. There will be p... • https://github.com/envoyproxy/envoy/security/advisories/GHSA-qm74-x36m-555q • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-39305 – Envoy Proxy use after free when route hash policy is configured with cookie attributes
https://notcve.org/view.php?id=CVE-2024-39305
01 Jul 2024 — Envoy is a cloud-native, open source edge and service proxy. Prior to versions 1.30.4, 1.29.7, 1.28.5, and 1.27.7. Envoy references already freed memory when route hash policy is configured with cookie attributes. Note that this vulnerability has been fixed in the open as the effect would be immediately apparent if it was configured. Memory allocated for holding attribute values is freed after configuration was parsed. • https://github.com/envoyproxy/envoy/commit/02a06681fbe0e039b1c7a9215257a7537eddb518 • CWE-416: Use After Free •