BIT-ENVOY-2025-64527 Envoy crashes when JWT authentication is configured with the remote JWKS fetching

Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, Envoy crashes when JWT authentication is configured with the remote JWKS fetching, allowmissingorfailed is enabled, multiple JWT tokens are present in the request headers and the JWKS fetch...

Envoy crashes when JWT authentication is configured with the remote JWKS fetching

Summary Envoy crashes when JWT authentication is configured with the remote JWKS fetching, allowmissingorfailed is enabled, multiple JWT tokens are present in the request headers and the JWKS fetch fails. Details This is caused by a re-entry bug in the JwksFetcherImpl. When the first token's JWKS...

GHSA-MP85-7MRQ-R866 Envoy crashes when JWT authentication is configured with the remote JWKS fetching

Summary Envoy crashes when JWT authentication is configured with the remote JWKS fetching, allowmissingorfailed is enabled, multiple JWT tokens are present in the request headers and the JWKS fetch fails. Details This is caused by a re-entry bug in the JwksFetcherImpl. When the first token's JWKS...

EUVD-2025-201100

Envoy crashes when JWT authentication is configured with the remote JWKS fetching...

CVE-2025-64527 Envoy crashes when JWT authentication is configured with the remote JWKS fetching

Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, Envoy crashes when JWT authentication is configured with the remote JWKS fetching, allowmissingorfailed is enabled, multiple JWT tokens are present in the request headers and the JWKS fetch...

CVE-2025-64527

Envoy vulnerability CVE-2025-64527: In versions 1.33.12, 1.34.10, 1.35.6, 1.36.2 and earlier, a re-entry bug in JwksFetcherImpl triggers a crash when JWT authentication uses remote JWKS with allow_missing_or_failed and multiple tokens in headers if the JWKS fetch fails. The first token’s JWKS fet...

PT-2025-48969

Name of the Vulnerable Software and Affected Versions Envoy versions 1.33.12 through 1.36.2 Description Envoy, a high-performance edge/middle/service proxy, experiences crashes when JWT authentication is configured with remote JWKS fetching enabled, allow missing or failed is set to true, multipl...

CVE-2023-7158

creationtimestamp| type| source ---|---|--- 2023-12-29 08:26:53+00:00| seen| https://t.me/ctinow/160376 2023-12-30 01:35:16+00:00| seen| https://t.me/cibsecurity/73908 2024-01-05 17:16:23+00:00| seen| https://t.me/ctinow/163602 2024-01-20 13:11:58+00:00| seen| https://t.me/ctinow/170616...

PT-2023-9272 · Eclipse +4 · Eclipse Jetty +4

Name of the Vulnerable Software and Affected Versions: Eclipse Jetty versions prior to 9.4.52 Eclipse Jetty versions prior to 10.0.16 Eclipse Jetty versions prior to 11.0.16 Eclipse Jetty versions prior to 12.0.0-beta2 Description: The issue is related to the formation of a command line that...

Optimistic bridging pattern, can lead to bridge exploitation

Lines of code Vulnerability details Impact Zero deposit Bridging. Wherease users can fake the depositing process but can mint multiple tokens in the destination chain. The bridging is optimistic, whereas the validation restricts to just checking the function selector and a no-error pattern, this...

CVE-2022-24892 Multiple valid tokens for password reset in Shopware

Shopware is an open source e-commerce software platform. Starting with version 5.0.4 and before version 5.7.9, multiple tokens for password reset can be requested. All tokens can be used to change the password. This makes it possible for an attacker to take over the victim's account if they someh...

Infogram: Incorrect Functionality of Password reset links

Vulnerability:- -Password reset links should work in such a way that "only the last generated password reset link should be valid" i.e; if two tokens are generated at a time, then 2nd token must work and 1st token must be invalid. -If not, another case is that "if some number of reset links are...

php money_format format string issue

The moneyformat function in PHP 5 before 5.2.4, and PHP 4 before 4.4.8, permits multiple 1 %i and 2 %n tokens, which has unknown impact and attack vectors, possibly related to a format string vulnerability...