CVE-2025-0752

CWE-444 โ€” HTTP Request SmugglingCWE-416 โ€” Use After Free5 documents5 sources
Severity
7.1HIGH
EPSS
0.2%
top 61.54%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Redhat Openshift Service Mesh
Timeline
PublishedJan 28

Description

A flaw was found in OpenShift Service Mesh 2.6.3 and 2.5.6. Rate-limiter avoidance, access-control bypass, CPU and memory exhaustion, and replay attacks may be possible due to improper HTTP header sanitization in Envoy.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:HExploitability: 2.8 | Impact: 4.2

Affected Packages1 packages

โ–ถNVDredhat/openshift_service_mesh2.5.6, 2.6.3+1

๐Ÿ”ดVulnerability Details

2
GHSA
GHSA-wpxv-x75w-vp46: A flaw was found in OpenShift Service Mesh 2โ†—2025-01-28
โ–ถ
CVEList
Envoyproxy: openshift service mesh envoy http header sanitization bypass leading to dos and unauthorized accessโ†—2025-01-28
โ–ถ

๐Ÿ“‹Vendor Advisories

2
Red Hat
envoyproxy: OpenShift Service Mesh Envoy HTTP Header Sanitization Bypass Leading to DoS and Unauthorized Accessโ†—2025-01-21
โ–ถ
Microsoft
A use-after-free crash could have occurred on macOS if a Firefox update were being applied on a very busy system. This could have resulted in an exploitable crash. This vulnerability affects Firefox <โ†—2024-01-09
โ–ถ