CVE-2025-64763
published 2025-12-03CVE-2025-64763: Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, when Envoy is configured in TCP proxy mode to handle…
PriorityP430medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.27%
18.8th percentile
Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, when Envoy is configured in TCP proxy mode to handle CONNECT requests, it accepts client data before issuing a 2xx response and forwards that data to the upstream TCP connection. If a forwarding proxy upstream from Envoy then responds with a non-2xx status, this can cause a de-synchronized CONNECT tunnel state. By default Envoy continues to allow early CONNECT data to avoid disrupting existing deployments. The envoy.reloadable_features.reject_early_connect_data runtime flag can be set to reject CONNECT requests that send data before a 2xx response when intermediaries upstream from Envoy may reject establishment of a CONNECT tunnel.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| envoyproxy | envoy | < 1.33.13 | 1.33.13 |
| envoyproxy | envoy | <= 1.33.12 | — |
| envoyproxy | envoy | — | — |
| envoyproxy | envoy | — | — |
| envoyproxy | envoy | — | — |
| envoyproxy | envoy | >= 1.34.0 < 1.34.11 | 1.34.11 |
| envoyproxy | envoy | >= 1.35.0 < 1.35.7 | 1.35.7 |
| envoyproxy | envoy | >= 1.36.0 < 1.36.3 | 1.36.3 |
| github.com | envoyproxy_envoy | >= 0 < 1.33.13 | 1.33.13 |
| github.com | envoyproxy_envoy | >= 1.34.0 < 1.34.11 | 1.34.11 |
| github.com | envoyproxy_envoy | >= 1.35.0 < 1.35.7 | 1.35.7 |
| github.com | envoyproxy_envoy | >= 1.36.0 < 1.36.3 | 1.36.3 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vendor_redhat3.7LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
Envoy: Envoy: De-synchronized CONNECT tunnel state due to early data handling in TCP proxy mode
vendor_redhat·2025-12-03·CVSS 3.7
CVE-2025-64763 [LOW] CWE-693 Envoy: Envoy: De-synchronized CONNECT tunnel state due to early data handling in TCP proxy mode
Envoy: Envoy: De-synchronized CONNECT tunnel state due to early data handling in TCP proxy mode
Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, when Envoy is configured in TCP proxy mode to handle CONNECT requests, it accepts client data before issuing a 2xx response and forwards that data to the upstream TCP connection. If a forwarding proxy upstream from Envoy then responds with a non-2xx status, this can cause a de-synchronized CONNECT tunnel state. By default Envoy continues to allow early CONNECT data to avoid disrupting existing deployments. The envoy.reloadable_features.reject_early_connect_data runtime flag can be set to reject CONNECT requests that send data before a 2xx response when intermediaries upstream from Envoy may
OSV
Envoy forwards early CONNECT data in TCP proxy mode
osv·2025-12-05
CVE-2025-64763 [LOW] Envoy forwards early CONNECT data in TCP proxy mode
Envoy forwards early CONNECT data in TCP proxy mode
## Summary
Forwarding of early CONNECT data in TCP proxy mode.
## Details
Per [RFC 7231-4.3.6](https://www.rfc-editor.org/rfc/rfc7231#section-4.3.6) the sender of CONNECT (and all inbound proxies) switch to tunnel mode only after receiving 2xx response. However in TCP proxy mode, Envoy accepts client data before it has issued a 2xx response and eagerly proxies it to an established TCP connection. This creates possibility of a de-synchronized tunnel state if a proxy upstream from Envoy responds with a status other an 2xx.
The RFC does not specify the behavior in case an early CONNECT data is received and early CONNECT data is common as a latency reduction mechanism. To prevent disruption to existing deployments Envoy will by default a
GHSA
Envoy forwards early CONNECT data in TCP proxy mode
ghsa·2025-12-05
CVE-2025-64763 [LOW] CWE-693 Envoy forwards early CONNECT data in TCP proxy mode
Envoy forwards early CONNECT data in TCP proxy mode
## Summary
Forwarding of early CONNECT data in TCP proxy mode.
## Details
Per [RFC 7231-4.3.6](https://www.rfc-editor.org/rfc/rfc7231#section-4.3.6) the sender of CONNECT (and all inbound proxies) switch to tunnel mode only after receiving 2xx response. However in TCP proxy mode, Envoy accepts client data before it has issued a 2xx response and eagerly proxies it to an established TCP connection. This creates possibility of a de-synchronized tunnel state if a proxy upstream from Envoy responds with a status other an 2xx.
The RFC does not specify the behavior in case an early CONNECT data is received and early CONNECT data is common as a latency reduction mechanism. To prevent disruption to existing deployments Envoy will by default a
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-12-03
Published