CVE-2025-64527NULL Pointer Dereference in Envoyproxy Envoy

CWE-476NULL Pointer DereferenceCWE-248Uncaught Exception5 documents5 sources
Severity
6.5MEDIUMNVD
EPSS
0.0%
top 99.79%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Github.com Envoyproxy EnvoyEnvoyproxy Envoy
Timeline
PublishedDec 3
Latest updateDec 5

Description

Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, Envoy crashes when JWT authentication is configured with the remote JWKS fetching, allow_missing_or_failed is enabled, multiple JWT tokens are present in the request headers and the JWKS fetch fails. This is caused by a re-entry bug in the JwksFetcherImpl. When the first token's JWKS fetch fails, onJwksError() callback triggers processing of the second token, which calls fetch() again on the

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

NVDenvoyproxy/envoy1.34.01.34.11+3
Gogithub.com/envoyproxy_envoy1.36.01.36.3+3
CVEListV5envoyproxy/envoy1.33.12+3

🔴Vulnerability Details

3
GHSA
Envoy crashes when JWT authentication is configured with the remote JWKS fetching2025-12-05
OSV
Envoy crashes when JWT authentication is configured with the remote JWKS fetching2025-12-05
CVEList
Envoy crashes when JWT authentication is configured with the remote JWKS fetching2025-12-03

📋Vendor Advisories

1
Red Hat
envoy: Envoy: Remote JWT authentication token fetch crash2025-12-03