Login Sign Up

CVE-2025-24030

7.1 HIGH
Authentication Bypass Path Traversal

📋 TL;DR

This CVE allows authenticated Kubernetes cluster users to perform path traversal attacks against Envoy Gateway, enabling execution of Envoy Admin interface commands on managed proxies. Attackers can terminate Envoy processes and extract potentially confidential configuration data. All Envoy Gateway versions prior to 1.2.6 are affected.

💻 Affected Systems

Products:
  • Envoy Gateway
Versions: All versions prior to 1.2.6
Operating Systems: Any OS running Envoy Gateway
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations of affected versions are vulnerable. Requires Kubernetes cluster access for exploitation.

📦 What is this software?

Gateway by Envoyproxy

View all CVEs affecting Gateway →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption through Envoy process termination and exposure of sensitive configuration data including secrets, API keys, and internal routing information.

🟠

Likely Case

Unauthorized access to Envoy configuration data and potential service disruption through admin command execution.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls restricting Kubernetes cluster access to trusted users only.

🌐 Internet-Facing: MEDIUM - While the vulnerability requires Kubernetes cluster access, internet-facing Envoy Gateway deployments may have broader attack surfaces.
🏢 Internal Only: HIGH - Internal attackers with Kubernetes cluster access can exploit this vulnerability to disrupt services and extract sensitive data.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires authenticated access to Kubernetes cluster and knowledge of path traversal techniques against Envoy Gateway.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.6

Vendor Advisory: https://github.com/envoyproxy/gateway/security/advisories/GHSA-j777-63hf-hx76

Restart Required: No

Instructions:

1. Update Envoy Gateway to version 1.2.6 or later. 2. Deploy the updated version to your Kubernetes cluster. 3. Verify the update was successful using version check commands.

🔧 Temporary Workarounds

Bootstrap Config Patch

all

Apply a bootstrap config patch to restrict admin interface access strictly to the prometheus stats endpoint

Use EnvoyProxy API to apply bootstrap config patch restricting admin interface access

🧯 If You Can't Patch

  • Implement strict Kubernetes RBAC controls to limit cluster access to essential personnel only
  • Apply network segmentation to isolate Envoy Gateway instances and restrict access to admin interfaces

🔍 How to Verify

Check if Vulnerable:

Check Envoy Gateway version using 'envoy-gateway --version' or examine deployment manifests for version <1.2.6

Check Version:

envoy-gateway --version

Verify Fix Applied:

Confirm version is 1.2.6 or later and test that path traversal attempts to admin interface are blocked

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized access attempts to Envoy admin interface
  • Path traversal patterns in request logs
  • Unexpected Envoy process terminations

Network Indicators:

  • Unusual admin interface traffic patterns
  • Requests attempting to access restricted admin endpoints

SIEM Query:

source="envoy-gateway" AND (path:*admin* OR path:*..* OR status=401 OR status=403)

📊 Metadata

CVE ID: CVE-2025-24030
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
CWE: CWE-419
EPSS Score: 0.22% exploit probability (44.8th percentile)
Published: January 23, 2025
Last Updated: September 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-24030, you might also want to check these:

CVE-2024-50588 9.8

CVE-2024-50588 allows unauthenticated attackers on the same local network to access the Elefant Fire...

Same vulnerability type (CWE-419)