CVE-2025-64763 – Envoy proxy versions 1.33.12, 1.34.10, 1.35.6, ... (How to Fix)

Q: What is the severity of CVE-2025-64763?

CVE-2025-64763 has a CVSS score of 3.7 (LOW). Envoy proxy versions 1.33.12, 1.34.10, 1.35.6, 1.36.2 and earlier have a CONNECT tunnel desynchronization vulnerability when configured in TCP proxy mode. This occurs when Envoy accepts client data before issuing a 2xx response and forwards it upstream, but an upstream proxy responds with a non-2xx status. Organizations using Envoy as a TCP proxy with CONNECT requests are affected.

📋 TL;DR

Envoy proxy versions 1.33.12, 1.34.10, 1.35.6, 1.36.2 and earlier have a CONNECT tunnel desynchronization vulnerability when configured in TCP proxy mode. This occurs when Envoy accepts client data before issuing a 2xx response and forwards it upstream, but an upstream proxy responds with a non-2xx status. Organizations using Envoy as a TCP proxy with CONNECT requests are affected.

💻 Affected Systems

Products:

Envoy Proxy

Versions: 1.33.12, 1.34.10, 1.35.6, 1.36.2 and earlier

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Envoy configured in TCP proxy mode handling CONNECT requests. By default Envoy continues to allow early CONNECT data to avoid disrupting existing deployments.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

CONNECT tunnel desynchronization could lead to data being forwarded incorrectly, potentially causing service disruption or data leakage between client connections.

🟠

Likely Case

Service disruption where CONNECT tunnels fail to establish properly, causing connection failures for clients using the proxy.

🟢

If Mitigated

Minimal impact with proper configuration controls in place.

🌐 Internet-Facing: MEDIUM - Internet-facing Envoy proxies handling CONNECT requests could experience service disruption.

🏢 Internal Only: MEDIUM - Internal Envoy proxies in TCP proxy mode could experience connection failures affecting internal services.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires specific configuration (TCP proxy mode with CONNECT handling) and upstream proxy that may reject CONNECT establishment.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in versions after those listed (check latest releases)

Vendor Advisory: https://github.com/envoyproxy/envoy/security/advisories/GHSA-rj35-4m94-77jh

Restart Required: Yes

Instructions:

1. Update Envoy to latest patched version. 2. Set envoy.reloadable_features.reject_early_connect_data runtime flag to true. 3. Restart Envoy service.

🔧 Temporary Workarounds

Enable reject_early_connect_data flag

all

Set runtime flag to reject CONNECT requests that send data before a 2xx response

Set envoy.reloadable_features.reject_early_connect_data = true in runtime configuration

🧯 If You Can't Patch

Enable the envoy.reloadable_features.reject_early_connect_data runtime flag
Consider disabling TCP proxy mode for CONNECT requests if not required

🔍 How to Verify

Check if Vulnerable:

Check Envoy version and configuration for TCP proxy mode with CONNECT handling

Check Version:

envoy --version

Verify Fix Applied:

Verify Envoy version is patched and reject_early_connect_data flag is enabled

📡 Detection & Monitoring

Log Indicators:

Failed CONNECT tunnel establishment
Non-2xx responses from upstream proxies during CONNECT

Network Indicators:

Unexpected connection failures in TCP proxy mode
CONNECT request/response mismatches

SIEM Query:

envoy_logs | where message contains "CONNECT" and (status_code != 200 or error contains "tunnel")

📊 Metadata

CVE ID: CVE-2025-64763

CVSS v3 Score: 3.7 (LOW)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-693

EPSS Score: 0% exploit probability (0.1th percentile)

Published: December 3, 2025

Last Updated: December 5, 2025

🔗 References

https://github.com/envoyproxy/envoy/security/advisories/GHSA-rj35-4m94-77jh Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64763, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Envoy by Envoyproxy

Envoy by Envoyproxy

Envoy by Envoyproxy

Envoy by Envoyproxy

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Enable reject_early_connect_data flag

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities