CVE-2025-46821
Envoy vulnerable to bypass of RBAC uri_template permission
Severity Score
5.3
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Attend
*SSVC
Descriptions
Envoy is a cloud-native edge/middle/service proxy. Prior to versions 1.34.1, 1.33.3, 1.32.6, and 1.31.8, Envoy's URI template matcher incorrectly excludes the `*` character from a set of valid characters in the URI path. As a result URI path containing the `*` character will not match a URI template expressions. This can result in bypass of RBAC rules when configured using the `uri_template` permissions. This vulnerability is fixed in Envoy versions v1.34.1, v1.33.3, v1.32.6, v1.31.8. As a workaround, configure additional RBAC permissions using `url_path` with `safe_regex` expression.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Attend
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2025-04-30 CVE Reserved
- 2025-05-07 CVE Published
- 2025-05-08 CVE Updated
- 2025-05-13 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-186: Overly Restrictive Regular Expression
CAPEC
References (1)
| URL | Tag | Source |
|---|---|---|
| https://github.com/envoyproxy/envoy/security/advisories/GHSA-c7cm-838g-6g67 | X_refsource_confirm |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Envoyproxy Search vendor "Envoyproxy" | Envoy Search vendor "Envoyproxy" for product "Envoy" | < 1.31.8 Search vendor "Envoyproxy" for product "Envoy" and version " < 1.31.8" | en |
Affected
| ||||||
| Envoyproxy Search vendor "Envoyproxy" | Envoy Search vendor "Envoyproxy" for product "Envoy" | >= 1.32.0 < 1.32.6 Search vendor "Envoyproxy" for product "Envoy" and version " >= 1.32.0 < 1.32.6" | en |
Affected
| ||||||
| Envoyproxy Search vendor "Envoyproxy" | Envoy Search vendor "Envoyproxy" for product "Envoy" | >= 1.33.0 < 1.33.3 Search vendor "Envoyproxy" for product "Envoy" and version " >= 1.33.0 < 1.33.3" | en |
Affected
| ||||||
| Envoyproxy Search vendor "Envoyproxy" | Envoy Search vendor "Envoyproxy" for product "Envoy" | >= 1.34.0 < 1.34.1 Search vendor "Envoyproxy" for product "Envoy" and version " >= 1.34.0 < 1.34.1" | en |
Affected
| ||||||