Envoyproxy Envoy vulnerabilities
110 known vulnerabilities affecting envoyproxy/envoy.
Total CVEs
110
CISA KEV
1
actively exploited
Public exploits
1
Exploited in wild
1
Severity breakdown
CRITICAL11HIGH73MEDIUM25LOW1
Vulnerabilities
Page 6 of 6
CVE-2022-29224P4MEDIUMCVSS 5.9fixed in 1.22.12022-06-09
CVE-2022-29224 [MEDIUM] CWE-476 CVE-2022-29224: Envoy is a cloud-native high-performance proxy. Versions of envoy prior to 1.22.1 are subject to a s
Envoy is a cloud-native high-performance proxy. Versions of envoy prior to 1.22.1 are subject to a segmentation fault in the GrpcHealthCheckerImpl. Envoy can perform various types of upstream health checking. One of them uses gRPC. Envoy also has a feature which can “hold” (prevent removal) upstream hosts obtained via service discovery until configu
nvd
CVE-2026-26309P4MEDIUMCVSS 5.3fixed in 1.34.13≥ 1.35.0, < 1.35.8+5 more2026-03-10
CVE-2026-26309 [MEDIUM] CWE-193 CVE-2026-26309: Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13,
Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, an off-by-one write in Envoy::JsonEscaper::escapeString() can corrupt std::string null-termination, causing undefined behavior and potentially leading to crashes or out-of-bounds reads when the resulting string is later treated as a C-string. This vu
nvd
CVE-2025-46821P4MEDIUMCVSS 5.3fixed in 1.31.8≥ 1.32.0, < 1.32.6+5 more2025-05-07
CVE-2025-46821 [MEDIUM] CWE-186 CVE-2025-46821: Envoy is a cloud-native edge/middle/service proxy. Prior to versions 1.34.1, 1.33.3, 1.32.6, and 1.3
Envoy is a cloud-native edge/middle/service proxy. Prior to versions 1.34.1, 1.33.3, 1.32.6, and 1.31.8, Envoy's URI template matcher incorrectly excludes the `*` character from a set of valid characters in the URI path. As a result URI path containing the `*` character will not match a URI template expressions. This can result in bypass of RBAC rul
nvd
CVE-2023-35944P4MEDIUMCVSS 5.3≥ 1.23.0, < 1.23.12≥ 1.24.0, < 1.24.10+6 more2023-07-25
CVE-2023-35944 [MEDIUM] CWE-20 CVE-2023-35944: Envoy is an open source edge and service proxy designed for cloud-native applications. Envoy allows
Envoy is an open source edge and service proxy designed for cloud-native applications. Envoy allows mixed-case schemes in HTTP/2, however, some internal scheme checks are case-sensitive. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, this can lead to the rejection of requests with mixed-case schemes such as `htTp` or `htTps`, or the b
nvd
CVE-2020-15104P4MEDIUMCVSS 5.4fixed in 1.12.6≥ 1.13.0, < 1.13.4+3 more2020-07-14
CVE-2020-15104 [MEDIUM] CWE-346 CVE-2020-15104: In Envoy before versions 1.12.6, 1.13.4, 1.14.4, and 1.15.0 when validating TLS certificates, Envoy
In Envoy before versions 1.12.6, 1.13.4, 1.14.4, and 1.15.0 when validating TLS certificates, Envoy would incorrectly allow a wildcard DNS Subject Alternative Name apply to multiple subdomains. For example, with a SAN of *.example.com, Envoy would incorrectly allow nested.subdomain.example.com, when it should only allow subdomain.example.com. This de
nvd
CVE-2020-8660P4MEDIUMCVSS 5.3fixed in 1.12.3≥ 1.13.0, < 1.13.12020-03-04
CVE-2020-8660 [MEDIUM] CWE-345 CVE-2020-8660: CNCF Envoy through 1.13.0 TLS inspector bypass. TLS inspector could have been bypassed (not recogniz
CNCF Envoy through 1.13.0 TLS inspector bypass. TLS inspector could have been bypassed (not recognized as a TLS client) by a client using only TLS 1.3. Because TLS extensions (SNI, ALPN) were not inspected, those connections might have been matched to a wrong filter chain, possibly bypassing some security restrictions in the process.
nvd
CVE-2024-23323P4MEDIUMCVSS 5.3≥ 1.26.0, < 1.26.7≥ 1.27.0, < 1.27.3+6 more2024-02-09
CVE-2024-23323 [MEDIUM] CWE-400 CVE-2024-23323: Envoy is a high-performance edge/middle/service proxy. The regex expression is compiled for every re
Envoy is a high-performance edge/middle/service proxy. The regex expression is compiled for every request and can result in high CPU usage and increased request latency when multiple routes are configured with such matchers. This issue has been addressed in released 1.29.1, 1.28.1, 1.27.3, and 1.26.7. Users are advised to upgrade. There are no known
nvd
CVE-2026-47778P4MEDIUMCVSS 4.4fixed in 1.35.13≥ 1.36.0, < 1.36.9+6 more2026-06-26
CVE-2026-47778 [MEDIUM] CWE-158 CVE-2026-47778: Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a structural flaw was identified in DefaultCertValidator::verifySubjectAltName where the extracted DNS SAN string is cast to a C-style string using .c_str() before being passed to the Utility::dnsNameMatch() algorithm.
nvd
CVE-2026-47692P4MEDIUMCVSS 4.3≥ 1.34.0, < 1.35.13≥ 1.36.0, < 1.36.9+6 more2026-06-26
CVE-2026-47692 [MEDIUM] CWE-130 CVE-2026-47692: Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.34.0 u
Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.34.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, PROXY Protocol v2 header generator emits TLVs beyond the maximum length of 65535 bytes, causing a mismatch between bytes written and the length field in the header. This can result in smuggled bytes on the ups
nvd
CVE-2020-11767P4LOWCVSS 3.1≤ 1.14.12020-04-15
CVE-2020-11767 [LOW] CVE-2020-11767: Istio through 1.5.1 and Envoy through 1.14.1 have a data-leak issue. If there is a TCP connection (n
Istio through 1.5.1 and Envoy through 1.14.1 have a data-leak issue. If there is a TCP connection (negotiated with SNI over HTTPS) to *.example.com, a request for a domain concurrently configured explicitly (e.g., abc.example.com) is sent to the server(s) listening behind *.example.com. The outcome should instead be 421 Misdirected Request. Imagine a shared ca
nvd
← Previous6 / 6