cbcvebase.
CVE-2025-64763
published 2025-12-03

CVE-2025-64763: Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, when Envoy is configured in TCP proxy mode to handle…

PriorityP430medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.27%
18.8th percentile
Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, when Envoy is configured in TCP proxy mode to handle CONNECT requests, it accepts client data before issuing a 2xx response and forwards that data to the upstream TCP connection. If a forwarding proxy upstream from Envoy then responds with a non-2xx status, this can cause a de-synchronized CONNECT tunnel state. By default Envoy continues to allow early CONNECT data to avoid disrupting existing deployments. The envoy.reloadable_features.reject_early_connect_data runtime flag can be set to reject CONNECT requests that send data before a 2xx response when intermediaries upstream from Envoy may reject establishment of a CONNECT tunnel.

Affected

12 ranges
VendorProductVersion rangeFixed in
envoyproxyenvoy< 1.33.131.33.13
envoyproxyenvoy<= 1.33.12
envoyproxyenvoy
envoyproxyenvoy
envoyproxyenvoy
envoyproxyenvoy>= 1.34.0 < 1.34.111.34.11
envoyproxyenvoy>= 1.35.0 < 1.35.71.35.7
envoyproxyenvoy>= 1.36.0 < 1.36.31.36.3
github.comenvoyproxy_envoy>= 0 < 1.33.131.33.13
github.comenvoyproxy_envoy>= 1.34.0 < 1.34.111.34.11
github.comenvoyproxy_envoy>= 1.35.0 < 1.35.71.35.7
github.comenvoyproxy_envoy>= 1.36.0 < 1.36.31.36.3

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vendor_redhat3.7LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.