3 matches found
CVE-2025-24030
CVE-2025-24030 affects Envoy Gateway prior to version 1.2.6. A user with Kubernetes cluster access can perform a path traversal attack against the Envoy Admin interface to terminate the Envoy process and exfiltrate the proxy configuration (potentially containing confidential data). The issue is f...
CVE-2025-25294
Envoy Gateway has a log injection vulnerability in its default Envoy Proxy access log configuration on affected releases prior to 1.2.7 and 1.3.1. A crafted user-agent could trigger JSON injection, allowing modification of the access log. The issue is fixed in 1.2.7 and 1.3.1 by updating EnvoyPro...
CVE-2026-22771
Summary: CVE-2026-22771 affects Envoy Gateway. Prior to versions 1.5.7 and 1.6.2, EnvoyExtensionPolicy Lua scripts executed by the Envoy proxy can leak credentials (e.g., TLS private keys and other secrets) used by the proxy, enabling access to control-plane secrets. The issue is described across...