Lucene search
K

52 matches found

CVE
CVE
added 2023/07/13 8:41 p.m.272 views

CVE-2023-35945

CVE-2023-35945 affects Envoy’s HTTP/2 codec. The root cause is in nghttp2 cleanup: after RST_STREAM and subsequent GOAWAY, cleanup of pending requests skips deallocation, leaking header/bookkeeping structures and causing memory exhaustion (DoS). Patched in these versions: 1.26.3, 1.25.8, 1.24.9, ...

7.5CVSS7.4AI score0.01106EPSS
CVE
CVE
added 2023/04/04 5:57 p.m.189 views

CVE-2023-27488

Envoy CVE-2023-27488 affects multiple 1.x branches prior to 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9. When an HTTP header with non-UTF-8 data is processed with ext_authz/ext_proc/tap/ratelimit and gRPC log services, Envoy could generate an invalid protobuf message. The receiving service could e...

9.8CVSS7.5AI score0.00731EPSS
CVE
CVE
added 2023/04/04 3:42 p.m.179 views

CVE-2023-27487

CVE-2023-27487 affects Envoy (edge/service proxy). The issue: a client can forge the internal x-envoy-original-path header because Envoy does not remove it early in request processing, allowing forged values to influence trace/grpc logs and jwt_authn URL checks. Impact is high (confidentiality/in...

9.1CVSS8.7AI score0.00636EPSS
CVE
CVE
added 2022/02/22 10:45 p.m.170 views

CVE-2021-43826

CVE-2021-43826 affects Envoy: a crash occurs in affected versions when tunneling TCP over HTTP is used and the downstream connection disconnects while the upstream connection or HTTP/2 stream is still establishing. This is a crash (not a memory corruption) with availability impact; no public expl...

7.5CVSS7.5AI score0.01046EPSS
CVE
CVE
added 2023/04/04 7:46 p.m.170 views

CVE-2023-27493

Envoy (CVE-2023-27493) fails to sanitize or escape certain request properties when constructing headers, allowing characters illegal in header values to be sent upstream. This can cause the upstream service to interpret the request as two pipelined requests, potentially bypassing Envoy’s security...

9.1CVSS8.7AI score0.00507EPSS
CVE
CVE
added 2022/02/22 10:15 p.m.167 views

CVE-2021-43824

CVE-2021-43824 affects Envoy. In affected versions, a crafted request with a CONNECT to the JWT filter configured with a regex match can crash Envoy, enabling a denial-of-service. The root cause is tied to the JWT filter when regex matching is used. Impact is described as a partial availability l...

7.5CVSS7.2AI score0.01046EPSS
CVE
CVE
added 2023/04/04 6:34 p.m.165 views

CVE-2023-27492

CVE-2023-27492 describes a denial-of-service in Envoy’s Lua filter prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, triggered by large request bodies on routes with Lua enabled. The issue arises from the Lua coroutine being invoked even when the filter has been reset, leading to cras...

6.5CVSS6.6AI score0.00686EPSS
CVE
CVE
added 2022/02/22 10:45 p.m.164 views

CVE-2021-43825

CVE-2021-43825 is a vulnerability in Envoy where a buffer overflow during response processing in the filter chain may cause a use-after-free, potentially crashing the process and causing a denial of service. The provided connected documents (OSV, RHSA/Nessus listings) describe the issue as a use-...

7.5CVSS6.8AI score0.00864EPSS
CVE
CVE
added 2023/04/04 7:48 p.m.164 views

CVE-2023-27496

CVE-2023-27496 affects the Envoy proxy. Prior to patch versions (1.26.0, 1.25.3, 1.24.4, 1.23.6, 1.22.9), an OAuth redirect response without the state parameter could cause abnormal termination of the Envoy process when the redirect path is requested. A patch is available in those lines; mitigati...

7.5CVSS7.6AI score0.00758EPSS
CVE
CVE
added 2022/02/22 10:40 p.m.163 views

CVE-2022-21655

CVE-2022-21655 affects Envoy’s common router: if an internal redirect selects a route configured with direct response or redirect actions, it can segfault, causing a denial of service. The available sources confirm this behavior and provide a workaround: disable internal redirects on listeners wh...

7.5CVSS7.4AI score0.01127EPSS
CVE
CVE
added 2024/04/04 7:41 p.m.160 views

CVE-2024-30255

Envoy's HTTP/2 implementation is vulnerable to CPU exhaustion from a flood of CONTINUATION frames in versions prior to 1.29.3, 1.28.2, 1.27.4, and 1.26.8. The vulnerability lets an attacker send unlimited CONTINUATION frames without END_HEADERS, causing high CPU usage and potential denial of serv...

7.5CVSS5.5AI score0.8781EPSS
CVE
CVE
added 2023/04/04 6:18 p.m.158 views

CVE-2023-27491

CVE-2023-27491 affects Envoy: a non-compliant HTTP/1 service may allow malformed requests to bypass security policies. The BIT-ENVOY-2023-27491 entry documents that this vulnerability can be triggered in pre‑fix releases and that the issue is fixed in Envoy versions 1.26.0, 1.25.3, 1.24.4, 1.23.6...

9.1CVSS6.9AI score0.00869EPSS
CVE
CVE
added 2022/02/22 10:25 p.m.149 views

CVE-2022-21656

CVE-2022-21656 concerns Envoy. The connected sources describe a type-confusion bug in the default_validator.cc handling of subjectAltNames that can allow rfc822Name or URI names to be treated as domain names, bypassing nameConstraints from OpenSSL/BoringSSL and enabling impersonation of upstream ...

7.4CVSS6AI score0.00768EPSS
CVE
CVE
added 2021/05/28 9:0 p.m.145 views

CVE-2021-29492

Envoy versions up to 1.18.2 contain a URL-path decoding flaw: escaped slashes (%2F, %5C) are not decoded, allowing an attacker to craft paths like /something%2F..%2Fadmin to bypass access controls and escalate privileges when RBAC/JWT filters enforce path-based policies. This can let a backend se...

8.3CVSS8AI score0.68383EPSS
CVE
CVE
added 2022/02/22 10:30 p.m.139 views

CVE-2022-21657

Envoy CVE-2022-21657: In affected Envoy versions, certificate validation does not restrict peer certificates to those with the correct extendedKeyUsage (serverAuth/clientAuth); an e-mail or other non-authorized EKU certificate may be accepted for TLS, potentially allowing upstream certificates to...

6.8CVSS6.6AI score0.00509EPSS
CVE
CVE
added 2022/06/09 7:15 p.m.136 views

CVE-2022-29225

CVE-2022-29225 affects Envoy where secompressors in versions before 1.22.1 accumulate decompressed data and overwrite the body during decode/encode, potentially allowing a zip bomb attack that exhausts memory and causes DoS. The connected sources confirm this behavior and the advised mitigation i...

7.5CVSS8.3AI score0.0144EPSS
CVE
CVE
added 2026/06/17 4:58 p.m.136 views

CVE-2026-47774

CVE-2026-47774 affects Envoy prior to versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1. A vulnerability in HTTP/2 downstream request processing combines two issues: (1) cookie header bytes are not fully accounted for during request header size validation, and (2) HPACK header limits are enforced on e...

7.5CVSS5.8AI score0.00815EPSS
CVE
CVE
added 2022/06/09 7:10 p.m.131 views

CVE-2022-29224

CVE-2022-29224 : Envoy

5.9CVSS7.2AI score0.00948EPSS
CVE
CVE
added 2024/09/19 11:34 p.m.129 views

CVE-2024-45810

CVE-2024-45810 affects Envoy. The vulnerability is a crash in the HTTP async client when handling sendLocalReply under certain conditions (e.g., websocket upgrade or request mirroring). Root causes described include duplicate status code handling and destructor-order issues in the async stream, l...

7.5CVSS7AI score0.00637EPSS
CVE
CVE
added 2020/03/04 9:10 p.m.126 views

CVE-2020-8660

CVE-2020-8660 concerns CNCF Envoy up to version 1.13.0. The TLS inspector could be bypassed when a TLS 1.3 client is used, because TLS extensions such as SNI and ALPN were not inspected, potentially causing connections to be matched to the wrong filter chain and bypassing some security restrictio...

5.3CVSS5.6AI score0.00606EPSS
CVE
CVE
added 2025/03/21 2:49 p.m.118 views

CVE-2025-30157

CVE-2025-30157 – Envoy ext_proc filter crash (Affects multiple 1.x releases) The issue affects Envoy’s ext_proc HTTP filter. A life-time management flaw can cause Envoy to crash when a local reply is sent to the external server, with a known scenario involving a failed websocket handshake trigger...

7.5CVSS6.3AI score0.00406EPSS
CVE
CVE
added 2024/09/19 11:34 p.m.116 views

CVE-2024-45806

CVE-2024-45806 affects Envoy, a cloud-native edge proxy. The vulnerability stems from Envoy’s default handling of internal RFC1918 addresses, which are trusted even if internal_address_config is empty. An external client could exploit this to manipulate headers (e.g., x-envoy headers), potentiall...

6.5CVSS6.8AI score0.00378EPSS
CVE
CVE
added 2022/06/09 7:25 p.m.108 views

CVE-2022-29226

Envoy proxy vulnerability CVE-2022-29226 affects the OAuth filter prior to v1.22.1, where there is no token validation in the filter, causing access to be granted when any access token is present. A fix is to upgrade Envoy to a version that includes proper access-token validation (v1.22.1 or late...

10CVSS9.4AI score0.01238EPSS
CVE
CVE
added 2022/06/09 7:30 p.m.108 views

CVE-2022-29227

Envoy has a use-after-free in versions before 1.22.1 triggered when replaying an HTTP request with an internal redirect that contains more than the HTTP headers; if a local reply is emitted while redirect headers are processed and the downstream state marks the stream incomplete, Envoy attempts t...

7.5CVSS8.3AI score0.01141EPSS
CVE
CVE
added 2022/06/09 7:20 p.m.107 views

CVE-2022-29228

CVE-2022-29228 affects Envoy’s OAuth filter: in versions prior to 1.22.1, after emitting a local response the filter may call continueDecoding, triggering an assertion in newer builds and memory corruption in older ones. The issue arises from continuing the filter chain after a local reply has be...

7.5CVSS8.3AI score0.01173EPSS
CVE
CVE
added 2024/12/18 7:12 p.m.102 views

CVE-2024-53270

Envoy proxy vulnerability CVE-2024-53270 affects affected releases where sendOverloadError may assume an active_request exists when envoy.load_shed_points.http1_server_abort_dispatch is configured. If active_request is nullptr, onMessageBeginImpl can return ok despite the stream being reset, caus...

7.5CVSS7.4AI score0.00687EPSS
CVE
CVE
added 2020/12/15 12:48 a.m.93 views

CVE-2020-35471

Envoy prior to 1.16.1 is affected by CVE-2020-35471 due to mishandling dropped and truncated UDP datagrams, demonstrable as a segmentation fault when UDP packet size exceeds 1500. Publicly documented fixes indicate upgrading to a release containing the patch (e.g., OpenSUSE/SUSE advisories and OS...

7.5CVSS7.5AI score0.02364EPSS
CVE
CVE
added 2020/07/14 10:5 p.m.85 views

CVE-2020-15104

CVE-2020-15104 describes a TLS certificate validation issue in Envoy prior to 1.12.6, 1.13.4, 1.14.4, and 1.15.0 where a wildcard DNS SAN could apply to multiple subdomains, e.g., *.example.com allowing nested.subdomain.example.com instead of only subdomain.example.com. The defect affects both cl...

5.5CVSS5.2AI score0.00252EPSS
CVE
CVE
added 2020/12/15 12:48 a.m.82 views

CVE-2020-35470

CVE-2020-35470 — Envoy Proxy : This vulnerability arises in Envoy before 1.16.1, which logs an incorrect downstream address by only considering the directly connected peer instead of the information in the proxy protocol header. It affects scenarios using tcp-proxy as the network filter (not HTTP...

8.8CVSS8.5AI score0.00974EPSS
CVE
CVE
added 2024/06/04 8:5 p.m.80 views

CVE-2024-23326

CVE-2024-23326 is a vulnerability in Envoy (an open source cloud-native edge and service proxy) where a server can be tricked into adding an upgrade header in a response, causing request smuggling. The root cause is Envoy accepting a 200 response in a protocol upgrade flow (RFC 7230 §6.7 discusse...

8.2CVSS6.6AI score0.00361EPSS
CVE
CVE
added 2021/09/09 10:5 p.m.77 views

CVE-2021-39162

CVE-2021-39162 affects Pomerium via its Envoy-based upstream processing. An H2 GOAWAY plus SETTINGS frame received in the same IO event can cause Envoy to terminate abnormally, leading to DoS when untrusted upstreams are present. The mitigation/patch is in version 0.15.1 (Envoy upgrade). If only ...

8.6CVSS8.4AI score0.01638EPSS
CVE
CVE
added 2024/09/19 11:34 p.m.75 views

CVE-2024-45808

CVE-2024-45808 affects the Envoy proxy and stems from insufficient validation of the REQUESTED_SERVER_NAME in access loggers, enabling potential log content manipulation. Affected versions are 1.31.2, 1.30.6, 1.29.9, and 1.28.7; upgrade to the fixed releases to remediate. The connected sources co...

6.5CVSS6.7AI score0.00353EPSS
CVE
CVE
added 2020/10/01 4:39 p.m.73 views

CVE-2020-25017

CVE-2020-25017 affects Envoy up to version 1.15.0. The vulnerability arises because when multiple HTTP header values are present, Envoy only considers the first value, and its header map API setCopy() does not replace all existing occurrences of a non-inline header. This behavior is described in ...

8.3CVSS8.1AI score0.01317EPSS
CVE
CVE
added 2021/09/09 10:10 p.m.71 views

CVE-2021-39206

CVE-2021-39206 references Envoy vulnerabilities CVE-2021-32777 and CVE-2021-32779 within Pomerium. The issue can lead to incorrect authorization or routing decisions when path-prefix policy is used. Pomerium has patched Envoy in v0.14.8 and v0.15.1; mitigation also includes removing path-prefix p...

8.6CVSS8.7AI score0.01457EPSS
CVE
CVE
added 2024/06/04 8:59 p.m.64 views

CVE-2024-34364

Envoy (the cloud-native proxy) is affected by CVE-2024-34364: an out-of-memory (OOM) condition caused by the async HTTP client buffering the mirror response with an unbounded buffer. This unbounded buffering can lead to memory exhaustion and potential DoS. Public documents attribute the issue to ...

6.5CVSS6.3AI score0.00467EPSS
CVE
CVE
added 2025/05/07 9:24 p.m.63 views

CVE-2025-46821

CVE-2025-46821 concerns Envoy, a cloud-native edge/middle/service proxy. Affects prior releases up to 1.34.1, 1.33.3, 1.32.6, and 1.31.8 where the URI template matcher incorrectly excludes the * character in the URI path, causing URI templates to fail to match and potentially bypass RBAC rules co...

5.3CVSS5.1AI score0.0022EPSS
CVE
CVE
added 2024/06/04 9:0 p.m.45 views

CVE-2024-32975

CVE-2024-32975 affects Envoy’s QUIC stack. It describes a crash caused by an integer underflow in QuicStreamSequencerBuffer::PeekRegion(), leading to a crash at QuicheDataReader::PeekVarInt62Length(). The vulnerability is triggered by the underflow, resulting in a crash and potential denial of se...

7.5CVSS6.5AI score0.00693EPSS
CVE
CVE
added 2024/06/04 9:0 p.m.43 views

CVE-2024-32974

CVE-2024-32974 is a use-after-free in Envoy’s QUIC stack. A crash occurs in EnvoyQuicServerStream::OnInitialHeadersComplete() because QUICHE may push request headers after StopReading() and the HCM ActiveStream has been destroyed, risking use-after-free when QUICHE makes up calls. This can crash ...

7.5CVSS6.6AI score0.00693EPSS
CVE
CVE
added 2024/06/04 8:59 p.m.37 views

CVE-2024-34362

CVE-2024-34362 affects Envoy’s QUIC stack: a use-after-free in HttpConnectionManager with EnvoyQuicServerStream can crash the process. Exploitation described as crafted request sequencing (no FIN, then RESET_STREAM, then close). No explicit exploit details in the Initial description; connected ad...

5.9CVSS6AI score0.00589EPSS
CVE
CVE
added 2026/03/10 7:8 p.m.28 views

CVE-2026-26310

Envoy (the Envoy proxy) has a vulnerability CVE-2026-26310 where calling Utility::getAddressWithPort with scoped IPv6 addresses can crash the data plane via original_src/dns filters. Affected pre-1.37.1 releases (and some older branches) are fixed in versions 1.37.1, 1.36.5, 1.35.8, and 1.34.13. ...

7.5CVSS5.8AI score0.00388EPSS
CVE
CVE
added 2026/06/26 5:27 p.m.25 views

CVE-2026-47778

Envoy CVE-2026-47778 describes a TLS DNS SAN truncation flaw in DefaultCertValidator::verifySubjectAltName. Before 1.35.11, 1.36.7, 1.37.3, and 1.38.1, an embedded NUL in a dNSName SAN can be partially preserved by generalNameAsString but truncated when converted to a C-style string via .c_str(),...

4.4CVSS5.8AI score0.00212EPSS
CVE
CVE
added 2026/06/26 5:32 p.m.22 views

CVE-2026-48497

CVE-2026-48497 affects Envoy and relates to the UDP DNS filter. Before versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a query with a DNS name of exactly 255 octets (local or remote resolution) can trigger abnormal process termination due to an invalid runtime precondition that the name must be str...

7.5CVSS5.8AI score0.00405EPSS
CVE
CVE
added 2025/09/03 7:51 p.m.21 views

CVE-2025-55162

CVE-2025-55162 affects Envoy (OAuth2 filter). The issue is insufficient Session Expiration: when cookie names are __Secure- or __Host-, the filter fails to add the Secure attribute to the Set-Cookie header during deletion, causing cookies to persist and enabling session hijacking on shared machin...

8.8CVSS6.3AI score0.0031EPSS
CVE
CVE
added 2025/12/03 6:4 p.m.21 views

CVE-2025-64527

Envoy vulnerability CVE-2025-64527: In versions 1.33.12, 1.34.10, 1.35.6, 1.36.2 and earlier, a re-entry bug in JwksFetcherImpl triggers a crash when JWT authentication uses remote JWKS with allow_missing_or_failed and multiple tokens in headers if the JWKS fetch fails. The first token’s JWKS fet...

6.5CVSS6.8AI score0.00497EPSS
CVE
CVE
added 2025/12/03 6:13 p.m.21 views

CVE-2025-64763

Envoy CVE-2025-64763 relates to a de-synchronization risk in TCP proxy mode where Envoy may accept client data for CONNECT requests before sending a 2xx response, and then forward that data to the upstream connection. If the upstream proxy returns a non‑2xx status, the CONNECT tunnel state can be...

5.3CVSS6.4AI score0.00282EPSS
CVE
CVE
added 2026/03/10 7:4 p.m.20 views

CVE-2026-26309

Envoy CVE-2026-26309 describes an off-by-one write in Envoy::JsonEscaper::escapeString() that can corrupt std::string null-termination, causing undefined behavior and potentially crashes or out-of-bounds reads when treated as a C-string. Affected before 1.37.1, 1.36.5, 1.35.8, 1.34.13. The vulner...

5.3CVSS5.8AI score0.00365EPSS
CVE
CVE
added 2025/10/16 9:23 p.m.17 views

CVE-2025-62504

Envoy Lua filter use-after-free is fixed in versions 1.36.2, 1.35.6, 1.34.10, and 1.33.12. The vulnerability occurs when a Lua script rewriting the response body causes the size to exceed per_connection_buffer_limit_bytes, leading to a local reply that can override headers and crash the process, ...

7.5CVSS6.4AI score0.00383EPSS
CVE
CVE
added 2026/03/10 7:19 p.m.17 views

CVE-2026-26330

CVE-2026-26330 affects Envoy prior to versions 1.37.1, 1.36.5, 1.35.8, and 1.34.13. The issue occurs in the rate limit filter when the response phase limit is enabled and the response phase limit request fails directly, causing a crash due to access to an inner state that is not cleaned up after ...

7.5CVSS5.8AI score0.00315EPSS
CVE
CVE
added 2025/12/03 6:31 p.m.16 views

CVE-2025-66220

Envoy vulnerability CVE-2025-66220: Envoy’s mTLS certificate matcher for match_typed_subject_alt_names may incorrectly treat certificates containing an embedded null byte inside an OTHERNAME SAN value as valid matches. Affected versions include 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier. Descr...

7.1CVSS6.5AI score0.00164EPSS
CVE
CVE
added 2025/10/16 5:47 p.m.15 views

CVE-2025-62409

CVE-2025-62409 affects Envoy, where large requests/responses can trigger TCP connection pool crashes due to flow-control handling when the connection is closing but upstream data still arrives, causing a buffer watermark callback nullptr reference. Affected products include the Envoy core with TC...

8.7CVSS6.6AI score0.00415EPSS
Total number of security vulnerabilities52