Envoyproxy Envoy vulnerabilities
110 known vulnerabilities affecting envoyproxy/envoy.
Total CVEs
110
CISA KEV
1
actively exploited
Public exploits
1
Exploited in wild
1
Severity breakdown
CRITICAL11HIGH73MEDIUM25LOW1
Vulnerabilities
Page 1 of 6
CVE-2023-44487P1HIGHCVSS 7.5KEVPoCv1.24.10v1.25.9+2 more2023-10-10
CVE-2023-44487 [HIGH] CWE-400 CVE-2023-44487: The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancell
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
nvd
CVE-2021-29492P2HIGHCVSS 8.3fixed in 1.15.5≥ 1.16.0, < 1.16.4+3 more2021-05-28
CVE-2021-29492 [HIGH] CWE-22 CVE-2021-29492: Envoy is a cloud-native edge/middle/service proxy. Envoy does not decode escaped slash sequences `%2
Envoy is a cloud-native edge/middle/service proxy. Envoy does not decode escaped slash sequences `%2F` and `%5C` in HTTP URL paths in versions 1.18.2 and before. A remote attacker may craft a path with escaped slashes, e.g. `/something%2F..%2Fadmin`, to bypass access control, e.g. a block on `/admin`. A backend server could then decode slash sequences
nvd
CVE-2024-30255P2HIGHCVSS 7.5fixed in 1.26.8≥ 1.27.0, < 1.27.4+5 more2024-04-04
CVE-2024-30255 [HIGH] CWE-390 CVE-2024-30255: Envoy is a cloud-native, open source edge and service proxy. The HTTP/2 protocol stack in Envoy vers
Envoy is a cloud-native, open source edge and service proxy. The HTTP/2 protocol stack in Envoy versions prior to 1.29.3, 1.28.2, 1.27.4, and 1.26.8 are vulnerable to CPU exhaustion due to flood of CONTINUATION frames. Envoy's HTTP/2 codec allows the client to send an unlimited number of CONTINUATION frames even after exceeding Envoy's header map limi
nvd
CVE-2024-27919P2HIGHCVSS 7.5v1.29.0v1.29.1+1 more2024-04-04
CVE-2024-27919 [HIGH] CWE-390 CVE-2024-27919: Envoy is a cloud-native, open-source edge and service proxy. In versions 1.29.0 and 1.29.1, theEnvoy
Envoy is a cloud-native, open-source edge and service proxy. In versions 1.29.0 and 1.29.1, theEnvoy HTTP/2 protocol stack is vulnerable to the flood of CONTINUATION frames. Envoy's HTTP/2 codec does not reset a request when header map limits have been exceeded. This allows an attacker to send an sequence of CONTINUATION frames without the END_HEADERS
nvd
CVE-2019-15226P3HIGHCVSS 7.5v1.0.0v1.1.0+14 more2019-10-09
CVE-2019-15226 [HIGH] CWE-400 CVE-2019-15226: Upon receiving each incoming request header data, Envoy will iterate over existing request headers t
Upon receiving each incoming request header data, Envoy will iterate over existing request headers to verify that the total size of the headers stays below a maximum limit. The implementation in versions 1.10.0 through 1.11.1 for HTTP/1.x traffic and all versions of Envoy for HTTP/2 traffic had O(n^2) performance characteristics. A remote attacker may
nvd
CVE-2019-9901P3CRITICALCVSS 10.0≤ 1.9.02019-04-25
CVE-2019-9901 [CRITICAL] CWE-706 CVE-2019-9901: Envoy 1.9.0 and before does not normalize HTTP URL paths. A remote attacker may craft a relative pat
Envoy 1.9.0 and before does not normalize HTTP URL paths. A remote attacker may craft a relative path, e.g., something/../admin, to bypass access control, e.g., a block on /admin. A backend server could then interpret the non-normalized path and provide an attacker access beyond the scope provided for by the access control policy.
nvd
CVE-2019-18801P3CRITICALCVSS 9.8≤ 1.12.12019-12-13
CVE-2019-18801 [CRITICAL] CWE-787 CVE-2019-18801: An issue was discovered in Envoy 1.12.0. An untrusted remote client may send HTTP/2 requests that wr
An issue was discovered in Envoy 1.12.0. An untrusted remote client may send HTTP/2 requests that write to the heap outside of the request buffers when the upstream is HTTP/1. This may be used to corrupt nearby heap contents (leading to a query-of-death scenario) or may be used to bypass Envoy's access control mechanisms such as path based routing
nvd
CVE-2023-27488P3CRITICALCVSS 9.8fixed in 1.22.9≥ 1.23.0, < 1.23.6+5 more2023-04-04
CVE-2023-27488 [CRITICAL] CWE-20 CVE-2023-27488: Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to vers
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, escalation of privileges is possible when `failure_mode_allow: true` is configured for `ext_authz` filter. For affected components that are used for logging and/or visibility, requests may not be logge
nvd
CVE-2022-29226P3CRITICALCVSS 9.1fixed in 1.22.12022-06-09
CVE-2022-29226 [CRITICAL] CWE-306 CVE-2022-29226: Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 the OAuth filter impleme
Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 the OAuth filter implementation does not include a mechanism for validating access tokens, so by design when the HMAC signed cookie is missing a full authentication flow should be triggered. However, the current implementation assumes that access tokens are always validate
nvd
CVE-2025-55162P3HIGHCVSS 8.8fixed in 1.32.10≥ 1.33.0, ≤ 1.33.7+6 more2025-09-03
CVE-2025-55162 [HIGH] CWE-613 CVE-2025-55162: Envoy is an open source L7 proxy and communication bus designed for large modern service oriented ar
Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In versions below 1.32.10 and 1.33.0 through 1.33.6, 1.34.0 through 1.34.4 and 1.35.0, insufficient Session Expiration in the Envoy OAuth2 filter leads to failed logout operations. When configured with __Secure- or __Host- prefixed cookie n
nvd
CVE-2023-35941P3CRITICALCVSS 9.8≥ 1.23.0, < 1.23.12≥ 1.24.0, < 1.24.10+6 more2023-07-25
CVE-2023-35941 [CRITICAL] CWE-116 CVE-2023-35941: Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to vers
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, a malicious client is able to construct credentials with permanent validity in some specific scenarios. This is caused by the some rare scenarios in which HMAC payload can be always valid in OAuth2
nvd
CVE-2021-21378P3HIGHCVSS 8.2v1.17.0v= 1.17.02021-03-11
CVE-2021-21378 [HIGH] CWE-287 CVE-2021-21378: Envoy is a cloud-native high-performance edge/middle/service proxy. In Envoy version 1.17.0 an attac
Envoy is a cloud-native high-performance edge/middle/service proxy. In Envoy version 1.17.0 an attacker can bypass authentication by presenting a JWT token with an issuer that is not in the provider list when Envoy's JWT Authentication filter is configured with the `allow_missing` requirement under `requires_any` due to a mistake in implementation. En
nvd
CVE-2023-27491P3CRITICALCVSS 9.1fixed in 1.22.9≥ 1.23.0, < 1.23.6+5 more2023-04-04
CVE-2023-27491 [CRITICAL] CWE-20 CVE-2023-27491: Envoy is an open source edge and service proxy designed for cloud-native applications. Compliant HTT
Envoy is an open source edge and service proxy designed for cloud-native applications. Compliant HTTP/1 service should reject malformed request lines. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, There is a possibility that non compliant HTTP/1 service may allow malformed requests, potentially leading to a bypass of security polici
nvd
CVE-2023-27487P3CRITICALCVSS 9.1fixed in 1.22.9≥ 1.23.0, < 1.23.6+5 more2023-04-04
CVE-2023-27487 [CRITICAL] CWE-20 CVE-2023-27487: Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to vers
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, the client may bypass JSON Web Token (JWT) checks and forge fake original paths. The header `x-envoy-original-path` should be an internal header, but Envoy does not remove this header from the request
nvd
CVE-2026-48706P3HIGHCVSS 7.5≥ 1.34.0, < 1.35.13≥ 1.36.0, < 1.36.9+6 more2026-06-26
CVE-2026-48706 [HIGH] CWE-120 CVE-2026-48706: Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.34.0 u
Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.34.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, a vulnerability exists in Envoy's TCP StatsD sink (TcpStatsdSink), where the thread-local flusher buffer can be overflowed by exceptionally long statistic names (e.g., >16KiB). During formatting, TcpStatsdSink r
nvd
CVE-2023-27493P3CRITICALCVSS 9.1fixed in 1.22.9≥ 1.23.0, < 1.23.6+5 more2023-04-04
CVE-2023-27493 [CRITICAL] CWE-20 CVE-2023-27493: Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to vers
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, Envoy does not sanitize or escape request properties when generating request headers. This can lead to characters that are illegal in header values to be sent to the upstream service. In the worst case
nvd
CVE-2021-32777P3HIGHCVSS 8.3≥ 1.16.0, < 1.16.5≥ 1.17.0, < 1.17.4+2 more2021-08-24
CVE-2021-32777 [HIGH] CWE-551 CVE-2021-32777: Envoy is an open source L7 proxy and communication bus designed for large modern service oriented ar
Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions when ext-authz extension is sending request headers to the external authorization service it must merge multiple value headers according to the HTTP spec. However, only the last header value is sent. This may allow spec
nvd
CVE-2024-39305P3CRITICALCVSS 9.1v1.27.6v1.28.4+6 more2024-07-01
CVE-2024-39305 [CRITICAL] CWE-416 CVE-2024-39305: Envoy is a cloud-native, open source edge and service proxy. Prior to versions 1.30.4, 1.29.7, 1.28.
Envoy is a cloud-native, open source edge and service proxy. Prior to versions 1.30.4, 1.29.7, 1.28.5, and 1.27.7. Envoy references already freed memory when route hash policy is configured with cookie attributes. Note that this vulnerability has been fixed in the open as the effect would be immediately apparent if it was configured. Memory alloca
nvd
CVE-2021-39206P3HIGHCVSS 8.6fixed in 1.16.5≥ 1.17.0, < 1.17.4+2 more2021-09-09
CVE-2021-39206 [HIGH] CVE-2021-39206: Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, contains
Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, contains two authorization related vulnerabilities CVE-2021-32777 and CVE-2021-32779. This may lead to incorrect routing or authorization policy decisions. With specially crafted requests, incorrect authorization or routing decisions may be made by Pomerium. Pomerium v0.
nvd
CVE-2026-26308P3HIGHCVSS 8.2fixed in 1.34.13≥ 1.35.0, < 1.35.8+5 more2026-03-10
CVE-2026-26308 [HIGH] CWE-863 CVE-2026-26308: Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13,
Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, the Envoy RBAC (Role-Based Access Control) filter contains a logic vulnerability in how it validates HTTP headers when multiple values are present for the same header name. Instead of validating each header value individually, Envoy concatenates all va
nvd
1 / 6Next →