Envoyproxy Security Vulnerabilities (CVEs)

Envoy Gateway versions before 1.5.7 and 1.6.2 contain a vulnerability where Lua scripts in EnvoyExtensionPolicy can leak proxy credentials. Attackers ...

Envoy's mTLS certificate matcher incorrectly validates certificates with embedded null bytes in OTHERNAME SAN values, potentially allowing unauthorize...

Envoy proxy versions 1.33.12, 1.34.10, 1.35.6, 1.36.2 and earlier have a CONNECT tunnel desynchronization vulnerability when configured in TCP proxy m...

Envoy proxy crashes when JWT authentication with remote JWKS fetching is configured, allow_missing_or_failed is enabled, multiple JWT tokens are prese...

Envoy proxy versions before 1.36.2, 1.35.6, 1.34.10, and 1.33.12 contain a use-after-free vulnerability in the Lua filter. When a Lua script rewrites ...

This vulnerability in Envoy proxy allows large requests/responses to trigger TCP connection pool crashes when connections close while upstream data is...

This CVE describes a use-after-free vulnerability in Envoy's DNS cache within the Dynamic Forward Proxy implementation. It can cause abnormal process ...

This CVE allows authenticated Kubernetes cluster users to perform path traversal attacks against Envoy Gateway, enabling execution of Envoy Admin inte...

Envoy proxy versions before 1.32.3, 1.31.5, 1.30.9, and 1.29.12 contain a null pointer dereference vulnerability when the http1_server_abort_dispatch ...

Envoy proxy versions using the default oghttp2 HTTP/2 codec contain stream management bugs that can cause crashes. This affects all Envoy 1.31 deploym...

A vulnerability in Envoy's JWT filter causes a crash when specific conditions are met: remote JWKs are used with clear_route_cache enabled, header ope...

Envoyproxy with Brotli filter can enter an endless loop during decompression of Brotli data with extra input, causing denial of service. This affects ...

This vulnerability in Envoy proxy allows remote attackers to cause a denial-of-service (DoS) by sending incomplete UTF-8 strings that trigger an uncau...

This CVE describes a use-after-free vulnerability in Envoy's QUIC implementation that can cause a crash when processing HTTP/3 requests. The vulnerabi...

Envoy proxy crashes when processing requests with host/authority headers longer than 255 characters while using upstream TLS clusters with auto_sni en...

This vulnerability allows downstream clients to bypass external authentication in Envoy proxy by forcing invalid gRPC requests to the ext_authz servic...

A NULL pointer dereference vulnerability in Envoy proxy when PPv2 is enabled on both listener and cluster configurations causes a segmentation fault w...

Envoy proxy crashes when specific timeout configurations overlap, causing a denial of service. This affects Envoy deployments with hedge_on_per_try_ti...

CVE-2023-44487 is an HTTP/2 protocol vulnerability that allows attackers to cause denial of service by rapidly resetting streams, consuming server res...

This vulnerability in Envoy proxy allows attackers to bypass security controls by using mixed-case HTTP/HTTPS schemes (like 'htTp' or 'htTps') in HTTP...

This CVE allows a malicious client to create OAuth2 credentials with permanent validity in Envoy proxy's OAuth2 filter under specific scenarios. It af...

Envoy's HTTP/2 implementation has a memory leak vulnerability when receiving RST_STREAM followed by GOAWAY frames from upstream servers. This allows a...

Envoy proxy versions before 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9 fail to properly sanitize request properties when generating headers, allowing ...

Envoy proxy versions before 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9 allow attackers to bypass JWT authentication by forging the x-envoy-original-pa...

Envoy proxy versions before 1.22.1 have a decompression vulnerability where attackers can send small, highly compressed payloads that expand to consum...

This vulnerability in Envoy's OAuth filter allows memory corruption or crashes when the filter incorrectly continues processing after sending a local ...

This vulnerability in Envoy proxy causes a segmentation fault when internal redirects select routes configured with direct response or redirect action...

A crafted CONNECT request sent to Envoy's JWT filter configured with regex matching causes a crash, leading to denial of service. This affects Envoy d...

Envoy proxy versions with upstream tunneling configured can crash when a downstream client disconnects while the upstream connection is still being es...

CVE-2021-39206 is an authorization bypass vulnerability in Pomerium's underlying Envoy proxy that could allow specially crafted requests to bypass pat...

This CVE describes a denial-of-service vulnerability in Envoy's HTTP/2 stream reset handling that affects Pomerium identity-aware access proxies. Atta...

CVE-2021-32781 is a use-after-free vulnerability in Envoy proxy that allows specifically crafted requests to cause denial of service. It affects Envoy...

This vulnerability in Envoy proxy allows attackers to bypass path-based authorization controls by including URI fragments (#fragment) in requests. It ...

Envoy's ext-authz extension fails to properly merge multiple-value headers when sending requests to external authorization services, sending only the ...

Envoy proxy versions 1.18.2 and earlier fail to decode escaped slash sequences (%2F and %5C) in HTTP URL paths, allowing attackers to bypass access co...

This vulnerability in Envoy proxy allows remote attackers to cause a denial of service by sending a specially crafted TLS alert with an unknown alert ...

This vulnerability in Envoy proxy allows attackers to bypass JWT authentication by presenting tokens from unauthorized issuers when the 'allow_missing...