52 matches found
CVE-2023-35945
CVE-2023-35945 affects Envoy’s HTTP/2 codec. The root cause is in nghttp2 cleanup: after RST_STREAM and subsequent GOAWAY, cleanup of pending requests skips deallocation, leaking header/bookkeeping structures and causing memory exhaustion (DoS). Patched in these versions: 1.26.3, 1.25.8, 1.24.9, ...
CVE-2023-27488
Envoy CVE-2023-27488 affects multiple 1.x branches prior to 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9. When an HTTP header with non-UTF-8 data is processed with ext_authz/ext_proc/tap/ratelimit and gRPC log services, Envoy could generate an invalid protobuf message. The receiving service could e...
CVE-2023-27487
CVE-2023-27487 affects Envoy (edge/service proxy). The issue: a client can forge the internal x-envoy-original-path header because Envoy does not remove it early in request processing, allowing forged values to influence trace/grpc logs and jwt_authn URL checks. Impact is high (confidentiality/in...
CVE-2021-43826
CVE-2021-43826 affects Envoy: a crash occurs in affected versions when tunneling TCP over HTTP is used and the downstream connection disconnects while the upstream connection or HTTP/2 stream is still establishing. This is a crash (not a memory corruption) with availability impact; no public expl...
CVE-2023-27493
Envoy (CVE-2023-27493) fails to sanitize or escape certain request properties when constructing headers, allowing characters illegal in header values to be sent upstream. This can cause the upstream service to interpret the request as two pipelined requests, potentially bypassing Envoy’s security...
CVE-2021-43824
CVE-2021-43824 affects Envoy. In affected versions, a crafted request with a CONNECT to the JWT filter configured with a regex match can crash Envoy, enabling a denial-of-service. The root cause is tied to the JWT filter when regex matching is used. Impact is described as a partial availability l...
CVE-2023-27492
CVE-2023-27492 describes a denial-of-service in Envoy’s Lua filter prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, triggered by large request bodies on routes with Lua enabled. The issue arises from the Lua coroutine being invoked even when the filter has been reset, leading to cras...
CVE-2021-43825
CVE-2021-43825 is a vulnerability in Envoy where a buffer overflow during response processing in the filter chain may cause a use-after-free, potentially crashing the process and causing a denial of service. The provided connected documents (OSV, RHSA/Nessus listings) describe the issue as a use-...
CVE-2023-27496
CVE-2023-27496 affects the Envoy proxy. Prior to patch versions (1.26.0, 1.25.3, 1.24.4, 1.23.6, 1.22.9), an OAuth redirect response without the state parameter could cause abnormal termination of the Envoy process when the redirect path is requested. A patch is available in those lines; mitigati...
CVE-2022-21655
CVE-2022-21655 affects Envoy’s common router: if an internal redirect selects a route configured with direct response or redirect actions, it can segfault, causing a denial of service. The available sources confirm this behavior and provide a workaround: disable internal redirects on listeners wh...
CVE-2024-30255
Envoy's HTTP/2 implementation is vulnerable to CPU exhaustion from a flood of CONTINUATION frames in versions prior to 1.29.3, 1.28.2, 1.27.4, and 1.26.8. The vulnerability lets an attacker send unlimited CONTINUATION frames without END_HEADERS, causing high CPU usage and potential denial of serv...
CVE-2023-27491
CVE-2023-27491 affects Envoy: a non-compliant HTTP/1 service may allow malformed requests to bypass security policies. The BIT-ENVOY-2023-27491 entry documents that this vulnerability can be triggered in pre‑fix releases and that the issue is fixed in Envoy versions 1.26.0, 1.25.3, 1.24.4, 1.23.6...
CVE-2022-21656
CVE-2022-21656 concerns Envoy. The connected sources describe a type-confusion bug in the default_validator.cc handling of subjectAltNames that can allow rfc822Name or URI names to be treated as domain names, bypassing nameConstraints from OpenSSL/BoringSSL and enabling impersonation of upstream ...
CVE-2021-29492
Envoy versions up to 1.18.2 contain a URL-path decoding flaw: escaped slashes (%2F, %5C) are not decoded, allowing an attacker to craft paths like /something%2F..%2Fadmin to bypass access controls and escalate privileges when RBAC/JWT filters enforce path-based policies. This can let a backend se...
CVE-2022-21657
Envoy CVE-2022-21657: In affected Envoy versions, certificate validation does not restrict peer certificates to those with the correct extendedKeyUsage (serverAuth/clientAuth); an e-mail or other non-authorized EKU certificate may be accepted for TLS, potentially allowing upstream certificates to...
CVE-2022-29225
CVE-2022-29225 affects Envoy where secompressors in versions before 1.22.1 accumulate decompressed data and overwrite the body during decode/encode, potentially allowing a zip bomb attack that exhausts memory and causes DoS. The connected sources confirm this behavior and the advised mitigation i...
CVE-2026-47774
CVE-2026-47774 affects Envoy prior to versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1. A vulnerability in HTTP/2 downstream request processing combines two issues: (1) cookie header bytes are not fully accounted for during request header size validation, and (2) HPACK header limits are enforced on e...
CVE-2022-29224
CVE-2022-29224 : Envoy
CVE-2024-45810
CVE-2024-45810 affects Envoy. The vulnerability is a crash in the HTTP async client when handling sendLocalReply under certain conditions (e.g., websocket upgrade or request mirroring). Root causes described include duplicate status code handling and destructor-order issues in the async stream, l...
CVE-2020-8660
CVE-2020-8660 concerns CNCF Envoy up to version 1.13.0. The TLS inspector could be bypassed when a TLS 1.3 client is used, because TLS extensions such as SNI and ALPN were not inspected, potentially causing connections to be matched to the wrong filter chain and bypassing some security restrictio...
CVE-2025-30157
CVE-2025-30157 – Envoy ext_proc filter crash (Affects multiple 1.x releases) The issue affects Envoy’s ext_proc HTTP filter. A life-time management flaw can cause Envoy to crash when a local reply is sent to the external server, with a known scenario involving a failed websocket handshake trigger...
CVE-2024-45806
CVE-2024-45806 affects Envoy, a cloud-native edge proxy. The vulnerability stems from Envoy’s default handling of internal RFC1918 addresses, which are trusted even if internal_address_config is empty. An external client could exploit this to manipulate headers (e.g., x-envoy headers), potentiall...
CVE-2022-29226
Envoy proxy vulnerability CVE-2022-29226 affects the OAuth filter prior to v1.22.1, where there is no token validation in the filter, causing access to be granted when any access token is present. A fix is to upgrade Envoy to a version that includes proper access-token validation (v1.22.1 or late...
CVE-2022-29227
Envoy has a use-after-free in versions before 1.22.1 triggered when replaying an HTTP request with an internal redirect that contains more than the HTTP headers; if a local reply is emitted while redirect headers are processed and the downstream state marks the stream incomplete, Envoy attempts t...
CVE-2022-29228
CVE-2022-29228 affects Envoy’s OAuth filter: in versions prior to 1.22.1, after emitting a local response the filter may call continueDecoding, triggering an assertion in newer builds and memory corruption in older ones. The issue arises from continuing the filter chain after a local reply has be...
CVE-2024-53270
Envoy proxy vulnerability CVE-2024-53270 affects affected releases where sendOverloadError may assume an active_request exists when envoy.load_shed_points.http1_server_abort_dispatch is configured. If active_request is nullptr, onMessageBeginImpl can return ok despite the stream being reset, caus...
CVE-2020-35471
Envoy prior to 1.16.1 is affected by CVE-2020-35471 due to mishandling dropped and truncated UDP datagrams, demonstrable as a segmentation fault when UDP packet size exceeds 1500. Publicly documented fixes indicate upgrading to a release containing the patch (e.g., OpenSUSE/SUSE advisories and OS...
CVE-2020-15104
CVE-2020-15104 describes a TLS certificate validation issue in Envoy prior to 1.12.6, 1.13.4, 1.14.4, and 1.15.0 where a wildcard DNS SAN could apply to multiple subdomains, e.g., *.example.com allowing nested.subdomain.example.com instead of only subdomain.example.com. The defect affects both cl...
CVE-2020-35470
CVE-2020-35470 — Envoy Proxy : This vulnerability arises in Envoy before 1.16.1, which logs an incorrect downstream address by only considering the directly connected peer instead of the information in the proxy protocol header. It affects scenarios using tcp-proxy as the network filter (not HTTP...
CVE-2024-23326
CVE-2024-23326 is a vulnerability in Envoy (an open source cloud-native edge and service proxy) where a server can be tricked into adding an upgrade header in a response, causing request smuggling. The root cause is Envoy accepting a 200 response in a protocol upgrade flow (RFC 7230 §6.7 discusse...
CVE-2021-39162
CVE-2021-39162 affects Pomerium via its Envoy-based upstream processing. An H2 GOAWAY plus SETTINGS frame received in the same IO event can cause Envoy to terminate abnormally, leading to DoS when untrusted upstreams are present. The mitigation/patch is in version 0.15.1 (Envoy upgrade). If only ...
CVE-2024-45808
CVE-2024-45808 affects the Envoy proxy and stems from insufficient validation of the REQUESTED_SERVER_NAME in access loggers, enabling potential log content manipulation. Affected versions are 1.31.2, 1.30.6, 1.29.9, and 1.28.7; upgrade to the fixed releases to remediate. The connected sources co...
CVE-2020-25017
CVE-2020-25017 affects Envoy up to version 1.15.0. The vulnerability arises because when multiple HTTP header values are present, Envoy only considers the first value, and its header map API setCopy() does not replace all existing occurrences of a non-inline header. This behavior is described in ...
CVE-2021-39206
CVE-2021-39206 references Envoy vulnerabilities CVE-2021-32777 and CVE-2021-32779 within Pomerium. The issue can lead to incorrect authorization or routing decisions when path-prefix policy is used. Pomerium has patched Envoy in v0.14.8 and v0.15.1; mitigation also includes removing path-prefix p...
CVE-2024-34364
Envoy (the cloud-native proxy) is affected by CVE-2024-34364: an out-of-memory (OOM) condition caused by the async HTTP client buffering the mirror response with an unbounded buffer. This unbounded buffering can lead to memory exhaustion and potential DoS. Public documents attribute the issue to ...
CVE-2025-46821
CVE-2025-46821 concerns Envoy, a cloud-native edge/middle/service proxy. Affects prior releases up to 1.34.1, 1.33.3, 1.32.6, and 1.31.8 where the URI template matcher incorrectly excludes the * character in the URI path, causing URI templates to fail to match and potentially bypass RBAC rules co...
CVE-2024-32975
CVE-2024-32975 affects Envoy’s QUIC stack. It describes a crash caused by an integer underflow in QuicStreamSequencerBuffer::PeekRegion(), leading to a crash at QuicheDataReader::PeekVarInt62Length(). The vulnerability is triggered by the underflow, resulting in a crash and potential denial of se...
CVE-2024-32974
CVE-2024-32974 is a use-after-free in Envoy’s QUIC stack. A crash occurs in EnvoyQuicServerStream::OnInitialHeadersComplete() because QUICHE may push request headers after StopReading() and the HCM ActiveStream has been destroyed, risking use-after-free when QUICHE makes up calls. This can crash ...
CVE-2024-34362
CVE-2024-34362 affects Envoy’s QUIC stack: a use-after-free in HttpConnectionManager with EnvoyQuicServerStream can crash the process. Exploitation described as crafted request sequencing (no FIN, then RESET_STREAM, then close). No explicit exploit details in the Initial description; connected ad...
CVE-2026-26310
Envoy (the Envoy proxy) has a vulnerability CVE-2026-26310 where calling Utility::getAddressWithPort with scoped IPv6 addresses can crash the data plane via original_src/dns filters. Affected pre-1.37.1 releases (and some older branches) are fixed in versions 1.37.1, 1.36.5, 1.35.8, and 1.34.13. ...
CVE-2026-47778
Envoy CVE-2026-47778 describes a TLS DNS SAN truncation flaw in DefaultCertValidator::verifySubjectAltName. Before 1.35.11, 1.36.7, 1.37.3, and 1.38.1, an embedded NUL in a dNSName SAN can be partially preserved by generalNameAsString but truncated when converted to a C-style string via .c_str(),...
CVE-2026-48497
CVE-2026-48497 affects Envoy and relates to the UDP DNS filter. Before versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a query with a DNS name of exactly 255 octets (local or remote resolution) can trigger abnormal process termination due to an invalid runtime precondition that the name must be str...
CVE-2025-55162
CVE-2025-55162 affects Envoy (OAuth2 filter). The issue is insufficient Session Expiration: when cookie names are __Secure- or __Host-, the filter fails to add the Secure attribute to the Set-Cookie header during deletion, causing cookies to persist and enabling session hijacking on shared machin...
CVE-2025-64527
Envoy vulnerability CVE-2025-64527: In versions 1.33.12, 1.34.10, 1.35.6, 1.36.2 and earlier, a re-entry bug in JwksFetcherImpl triggers a crash when JWT authentication uses remote JWKS with allow_missing_or_failed and multiple tokens in headers if the JWKS fetch fails. The first token’s JWKS fet...
CVE-2025-64763
Envoy CVE-2025-64763 relates to a de-synchronization risk in TCP proxy mode where Envoy may accept client data for CONNECT requests before sending a 2xx response, and then forward that data to the upstream connection. If the upstream proxy returns a non‑2xx status, the CONNECT tunnel state can be...
CVE-2026-26309
Envoy CVE-2026-26309 describes an off-by-one write in Envoy::JsonEscaper::escapeString() that can corrupt std::string null-termination, causing undefined behavior and potentially crashes or out-of-bounds reads when treated as a C-string. Affected before 1.37.1, 1.36.5, 1.35.8, 1.34.13. The vulner...
CVE-2025-62504
Envoy Lua filter use-after-free is fixed in versions 1.36.2, 1.35.6, 1.34.10, and 1.33.12. The vulnerability occurs when a Lua script rewriting the response body causes the size to exceed per_connection_buffer_limit_bytes, leading to a local reply that can override headers and crash the process, ...
CVE-2026-26330
CVE-2026-26330 affects Envoy prior to versions 1.37.1, 1.36.5, 1.35.8, and 1.34.13. The issue occurs in the rate limit filter when the response phase limit is enabled and the response phase limit request fails directly, causing a crash due to access to an inner state that is not cleaned up after ...
CVE-2025-66220
Envoy vulnerability CVE-2025-66220: Envoy’s mTLS certificate matcher for match_typed_subject_alt_names may incorrectly treat certificates containing an embedded null byte inside an OTHERNAME SAN value as valid matches. Affected versions include 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier. Descr...
CVE-2025-62409
CVE-2025-62409 affects Envoy, where large requests/responses can trigger TCP connection pool crashes due to flow-control handling when the connection is closing but upstream data still arrives, causing a buffer watermark callback nullptr reference. Affected products include the Envoy core with TC...