cbcvebase.

Envoyproxy Envoy vulnerabilities

110 known vulnerabilities affecting envoyproxy/envoy.

Total CVEs
110
CISA KEV
1
actively exploited
Public exploits
1
Exploited in wild
1
Severity breakdown
CRITICAL11HIGH73MEDIUM25LOW1

Vulnerabilities

Page 2 of 6
CVE-2019-9900P3HIGHCVSS 8.3≤ 1.9.02019-04-25
CVE-2019-9900 [HIGH] CWE-74 CVE-2019-9900: When parsing HTTP/1.x header values, Envoy 1.9.0 and before does not reject embedded zero characters When parsing HTTP/1.x header values, Envoy 1.9.0 and before does not reject embedded zero characters (NUL, ASCII 0x0). This allows remote attackers crafting header values containing embedded NUL characters to potentially bypass header matching rules, gaining access to unauthorized resources.
nvd
CVE-2021-32779P3HIGHCVSS 8.3≥ 1.16.0, < 1.16.5≥ 1.17.0, < 1.17.4+6 more2021-08-24
CVE-2021-32779 [HIGH] CWE-551 CVE-2021-32779: Envoy is an open source L7 proxy and communication bus designed for large modern service oriented ar Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions envoy incorrectly handled a URI '#fragment' element as part of the path element. Envoy is configured with an RBAC filter for authorization or similar mechanism with an explicit case of a final "/admin" path element, or
nvd
CVE-2019-18802P3CRITICALCVSS 9.8≤ 1.12.12019-12-13
CVE-2019-18802 [CRITICAL] CVE-2019-18802: An issue was discovered in Envoy 1.12.0. An untrusted remote client may send an HTTP header (such as An issue was discovered in Envoy 1.12.0. An untrusted remote client may send an HTTP header (such as Host) with whitespace after the header content. Envoy will treat "header-value " as a different string from "header-value" so for example with the Host header "example.com " one could bypass "example.com" matchers.
nvd
CVE-2022-21654P3CRITICALCVSS 9.8≥ 1.7.0, < 1.18.6≥ 1.19.0, < 1.19.3+6 more2022-02-22
CVE-2022-21654 [CRITICAL] CWE-295 CVE-2022-21654: Envoy is an open source edge and service proxy, designed for cloud-native applications. Envoy's tls Envoy is an open source edge and service proxy, designed for cloud-native applications. Envoy's tls allows re-use when some cert validation settings have changed from their default configuration. The only workaround for this issue is to ensure that default tls settings are used. Users are advised to upgrade.
nvd
CVE-2026-47221P3HIGHCVSS 7.5≥ 1.18.0, < 1.35.13≥ 1.36.0, < 1.36.9+6 more2026-06-26
CVE-2026-47221 [HIGH] CWE-476 CVE-2026-47221: Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.18.0 u Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.18.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, the router filter contains a null pointer dereference vulnerability when handling HTTP 303 (See Other) internal redirects for body-less non-GET/HEAD requests. When a POST, PUT, DELETE, or PATCH request without a
nvd
CVE-2024-23326P3HIGHCVSS 8.2fixed in 1.27.6≥ 1.28.0, < 1.28.4+6 more2024-06-04
CVE-2024-23326 [HIGH] CWE-391 CVE-2024-23326: Envoy is a cloud-native, open source edge and service proxy. A theoretical request smuggling vulnera Envoy is a cloud-native, open source edge and service proxy. A theoretical request smuggling vulnerability exists through Envoy if a server can be tricked into adding an upgrade header into a response. Per RFC https://www.rfc-editor.org/rfc/rfc7230#section-6.7 a server sends 101 when switching protocols. Envoy incorrectly accepts a 200 response from a
nvd
CVE-2026-47774P3HIGHCVSS 7.5fixed in 1.35.11v>= 1.36.0, < 1.36.7+2 more2026-06-17
CVE-2026-47774 [HIGH] CWE-405 CVE-2026-47774: Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to vers Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a vulnerability in Envoy's HTTP/2 downstream request processing allows an unauthenticated remote client to trigger excessive memory consumption, potentially resulting in OOM termination of the Envoy process and
cvelistv5nvd
CVE-2026-48042P3HIGHCVSS 7.5≥ 1.18.0, < 1.35.13≥ 1.36.0, < 1.36.9+6 more2026-06-26
CVE-2026-48042 [HIGH] CWE-1124 CVE-2026-48042: Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35 Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, destructor of JSON Object results in stack overflow when deeply O(100K) nested objects are present. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.
nvd
CVE-2026-48743P3HIGHCVSS 7.5≥ 1.35.0, < 1.35.13≥ 1.36.0, < 1.36.9+6 more2026-06-26
CVE-2026-48743 [HIGH] CWE-444 CVE-2026-48743: Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35 Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, Envoy can translate a downstream HTTP/3 request that is complete at the transport layer (HEADERS with FIN / headers-only close) but still carries a nonzero Content-Length into a complete upstream HTTP/1 request with unre
nvd
CVE-2021-39162P3HIGHCVSS 8.6fixed in 1.18.4v1.19.02021-09-09
CVE-2021-39162 [HIGH] CWE-754 CVE-2021-39162: Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, can abnor Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, can abnormally terminate if an H/2 GOAWAY and SETTINGS frame are received in the same IO event. This can lead to a DoS in the presence of untrusted *upstream* servers. 0.15.1 contains an upgraded envoy binary with this vulnerability patched. If only trusted upst
nvd
CVE-2026-47204P3HIGHCVSS 7.5≥ 1.26.0, < 1.35.13≥ 1.36.0, < 1.36.9+6 more2026-06-26
CVE-2026-47204 [HIGH] CWE-476 CVE-2026-47204: Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.26.0 u Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.26.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, the envoy.filters.http.grpc_stats filter crashes (null pointer dereference / segfault) when a Connect protocol request (Content-Type: application/connect+proto or application/connect+json) hits a direct_response
nvd
CVE-2025-62409P3HIGHCVSS 7.5fixed in 1.33.11≥ 1.34.0, < 1.34.9+6 more2025-10-16
CVE-2025-62409 [HIGH] CWE-476 CVE-2025-62409: Envoy is a cloud-native, open source edge and service proxy. Prior to 1.36.1, 1.35.5, 1.34.9, and 1. Envoy is a cloud-native, open source edge and service proxy. Prior to 1.36.1, 1.35.5, 1.34.9, and 1.33.10, large requests and responses can potentially trigger TCP connection pool crashes due to flow control management in Envoy. It will happen when the connection is closing but upstream data is still coming, resulting in a buffer watermark callback nu
nvd
CVE-2026-47220P3HIGHCVSS 7.5≥ 1.37.0, < 1.37.5≥ 1.38.0, < 1.38.3+2 more2026-06-26
CVE-2026-47220 [HIGH] CWE-476 CVE-2026-47220: Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.37.0 u Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.37.0 until 1.37.5 and 1.38.3, when the %REQUESTED_SERVER_NAME(X:Y)% is used in log format and host related options is specified, like HOST_FIRST, SNI_FIRST, it's possible to crash Envoy when the specified host header is missing in the request headers. This vu
nvd
CVE-2026-48497P3HIGHCVSS 7.5fixed in 1.35.13≥ 1.36.0, < 1.36.9+6 more2026-06-26
CVE-2026-48497 [HIGH] CWE-480 CVE-2026-48497: Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35 Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, in cases where UDP DNS filter is configured with local resolution containing a name with the length of 255 octets or remote resolution for a name of 255 octets long can complete successfully, a query with such name will
nvd
CVE-2020-35470P3HIGHCVSS 8.8fixed in 1.16.12020-12-15
CVE-2020-35470 [HIGH] CVE-2020-35470: Envoy before 1.16.1 logs an incorrect downstream address because it considers only the directly conn Envoy before 1.16.1 logs an incorrect downstream address because it considers only the directly connected peer, not the information in the proxy protocol header. This affects situations with tcp-proxy as the network filter (not HTTP filters).
nvd
CVE-2026-48044P3HIGHCVSS 7.5≥ 1.23.0, < 1.35.13≥ 1.36.0, < 1.36.9+6 more2026-06-26
CVE-2026-48044 [HIGH] CWE-409 CVE-2026-48044: Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.23.0 u Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.23.0 until 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a vulnerability has been identified in Envoy's zstd decompressor implementation (ZstdDecompressorImpl). When zstd decompression is enabled, processing a specially crafted, highly compressed zstd payload can lead
nvd
CVE-2024-23324P3HIGHCVSS 7.5≥ 1.26.0, < 1.26.7≥ 1.27.0, < 1.27.3+6 more2024-02-09
CVE-2024-23324 [HIGH] CWE-20 CVE-2024-23324: Envoy is a high-performance edge/middle/service proxy. External authentication can be bypassed by do Envoy is a high-performance edge/middle/service proxy. External authentication can be bypassed by downstream connections. Downstream clients can force invalid gRPC requests to be sent to ext_authz, circumventing ext_authz checks when failure_mode_allow is set to true. This issue has been addressed in released 1.29.1, 1.28.1, 1.27.3, and 1.26.7. Users a
nvd
CVE-2025-62504P3HIGHCVSS 7.5fixed in 1.33.12≥ 1.34.0, < 1.34.10+6 more2025-10-16
CVE-2025-62504 [HIGH] CWE-416 CVE-2025-62504: Envoy is an open source edge and service proxy. Envoy versions earlier than 1.36.2, 1.35.6, 1.34.10, Envoy is an open source edge and service proxy. Envoy versions earlier than 1.36.2, 1.35.6, 1.34.10, and 1.33.12 contain a use-after-free vulnerability in the Lua filter. When a Lua script executing in the response phase rewrites a response body so that its size exceeds the configured per_connection_buffer_limit_bytes (default 1MB), Envoy generates a
nvd
CVE-2024-45809P3HIGHCVSS 7.5≥ 1.29.0, < 1.29.9≥ 1.30.0, < 1.30.6+4 more2024-09-20
CVE-2024-45809 [HIGH] CWE-119 CVE-2024-45809: Envoy is a cloud-native high-performance edge/middle/service proxy. Jwt filter will lead to an Envoy Envoy is a cloud-native high-performance edge/middle/service proxy. Jwt filter will lead to an Envoy crash when clear route cache with remote JWKs. In the following case: 1. remote JWKs are used, which requires async header processing; 2. clear_route_cache is enabled on the provider; 3. header operations are enabled in JWT filter, e.g. header to claim
nvd
CVE-2026-26330P3HIGHCVSS 7.5fixed in 1.34.13≥ 1.35.0, < 1.35.8+5 more2026-03-10
CVE-2026-26330 [HIGH] CWE-416 CVE-2026-26330: Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, At the rate limit filter, if the response phase limit with apply_on_stream_done in the rate limit configuration is enabled and the response phase limit request fails directly, it may crash Envoy. When both the request phase limit and response phase lim
nvd
Envoyproxy Envoy vulnerabilities | cvebase