CVE-2025-64527
📋 TL;DR
Envoy proxy crashes when JWT authentication with remote JWKS fetching is configured, allow_missing_or_failed is enabled, multiple JWT tokens are present, and the JWKS fetch fails. This is a denial-of-service vulnerability affecting Envoy deployments using JWT authentication with specific configurations. The crash occurs due to a re-entry bug in JwksFetcherImpl.
💻 Affected Systems
- Envoy Proxy
📦 What is this software?
Envoy by Envoyproxy
Envoy by Envoyproxy
Envoy by Envoyproxy
Envoy by Envoyproxy
⚠️ Risk & Real-World Impact
Worst Case
Complete service outage for Envoy proxy instances, disrupting all traffic through affected proxies and causing cascading failures in dependent services.
Likely Case
Intermittent crashes of Envoy instances when JWT authentication fails under specific conditions, leading to service disruption and potential availability issues.
If Mitigated
No impact if JWT authentication is not used, or if proper version patching or workarounds are implemented.
🎯 Exploit Status
Attackers can trigger the crash by sending requests with multiple JWT tokens when JWKS fetch is failing. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.33.13, 1.34.11, 1.35.7, 1.36.3
Vendor Advisory: https://github.com/envoyproxy/envoy/security/advisories/GHSA-mp85-7mrq-r866
Restart Required: Yes
Instructions:
1. Identify affected Envoy versions. 2. Upgrade to patched versions: 1.33.13, 1.34.11, 1.35.7, or 1.36.3. 3. Restart Envoy services. 4. Verify the fix by checking version and testing JWT authentication.
🔧 Temporary Workarounds
Disable allow_missing_or_failed
allDisable the allow_missing_or_failed option in JWT authentication configuration to prevent the crash condition.
Modify Envoy configuration to set allow_missing_or_failed: false in JWT authentication filters
Disable remote JWKS fetching
allUse local JWKS files instead of remote fetching to avoid the fetch failure condition.
Configure JWT authentication with local JWKS files instead of remote URLs
🧯 If You Can't Patch
- Disable JWT authentication entirely if not required
- Implement rate limiting and request filtering to block requests with multiple JWT tokens
🔍 How to Verify
Check if Vulnerable:
Check Envoy version and configuration for JWT authentication with remote JWKS fetching and allow_missing_or_failed enabled.Check Version:
envoy --versionVerify Fix Applied:
Verify Envoy version is 1.33.13, 1.34.11, 1.35.7, or 1.36.3 or later, and test JWT authentication with multiple tokens during JWKS fetch failure.📡 Detection & Monitoring
Log Indicators:
- Envoy crash logs
- Segmentation fault errors
- JWT authentication failure logs followed by process termination
Network Indicators:
- Sudden loss of connectivity to Envoy services
- Increased HTTP 5xx errors from Envoy
SIEM Query:
source="envoy" AND ("segmentation fault" OR "crash" OR "SIGSEGV")