CVE-2025-30157
published 2025-03-21CVE-2025-30157: Envoy is a cloud-native high-performance edge/middle/service proxy. Prior to 1.33.1, 1.32.4, 1.31.6, and 1.30.10, Envoy's ext_proc HTTP filter is at risk of…
PriorityP338high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.41%
32.4th percentile
Envoy is a cloud-native high-performance edge/middle/service proxy. Prior to 1.33.1, 1.32.4, 1.31.6, and 1.30.10, Envoy's ext_proc HTTP filter is at risk of crashing if a local reply is sent to the external server due to the filter's life time issue. A known situation is the failure of a websocket handshake will trigger a local reply leading to the crash of Envoy. This vulnerability is fixed in 1.33.1, 1.32.4, 1.31.6, and 1.30.10.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| envoyproxy | envoy | < 1.30.10 | 1.30.10 |
| envoyproxy | envoy | — | — |
| envoyproxy | envoy | — | — |
| envoyproxy | envoy | — | — |
| envoyproxy | envoy | — | — |
| envoyproxy | envoy | >= 1.31.0 < 1.31.6 | 1.31.6 |
| envoyproxy | envoy | >= 1.32.0 < 1.32.4 | 1.32.4 |
| github.com | envoyproxy_envoy | >= 0 < 1.30.10 | 1.30.10 |
| github.com | envoyproxy_envoy | >= 1.31.0 < 1.31.6 | 1.31.6 |
| github.com | envoyproxy_envoy | >= 1.32.0 < 1.32.4 | 1.32.4 |
| github.com | envoyproxy_envoy | >= 1.33.0 < 1.33.1 | 1.33.1 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Envoy crashes when HTTP ext_proc processes local replies
osv·2025-03-21
CVE-2025-30157 [MEDIUM] Envoy crashes when HTTP ext_proc processes local replies
Envoy crashes when HTTP ext_proc processes local replies
### Summary
Envoy's ext_proc HTTP filter is at risk of crashing if a local reply is sent to the external server due to the filter's life time issue. A known situation is the fail of a websocket handshake will trigger a local reply leading to the crash of Envoy.
### PoC
If both websocket and ext_proc are enabled, a failed handshake will trigger a local reply, thus ext_proc will crash.
### Mitigation
1. Disable websocket traffic
2. Change the websocket response from backend to always return `101 Switch protocol` based on RFC.
3. Apply the patch and the ext_proc filter will not send the local reply that is generated by Envoy to the ext_proc server for processing.
4. Apply the patch that the router will cancel the upstream requests wh
GHSA
Envoy crashes when HTTP ext_proc processes local replies
ghsa·2025-03-21
CVE-2025-30157 [MEDIUM] CWE-460 Envoy crashes when HTTP ext_proc processes local replies
Envoy crashes when HTTP ext_proc processes local replies
### Summary
Envoy's ext_proc HTTP filter is at risk of crashing if a local reply is sent to the external server due to the filter's life time issue. A known situation is the fail of a websocket handshake will trigger a local reply leading to the crash of Envoy.
### PoC
If both websocket and ext_proc are enabled, a failed handshake will trigger a local reply, thus ext_proc will crash.
### Mitigation
1. Disable websocket traffic
2. Change the websocket response from backend to always return `101 Switch protocol` based on RFC.
3. Apply the patch and the ext_proc filter will not send the local reply that is generated by Envoy to the ext_proc server for processing.
4. Apply the patch that the router will cancel the upstream requests wh
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-03-21
Published