Github.Com Envoyproxy Envoy vulnerabilities

CVE-2026-26308 [HIGH] CWE-20 Envoy has RBAC Header Validation Bypass via Multi-Value Header Concatenation Envoy has RBAC Header Validation Bypass via Multi-Value Header Concatenation ## 1. Summary The Envoy RBAC (Role-Based Access Control) filter contains a logic vulnerability in how it validates HTTP headers when multiple values are present for the same header name. Instead of validating each header value individually, Envoy concatenates all values into a single comma-separated string. This be

CVE-2026-26330 [MEDIUM] CWE-416 Envoy's global rate limit may crash when the response phase limit is enabled and the response phase request is failed directly Envoy's global rate limit may crash when the response phase limit is enabled and the response phase request is failed directly ### Summary At the rate limit filter, if we enabled the response phase limit with `apply_on_stream_done` in the rate limit configuration and the response phase limit request fails directly, it may crash Envoy. #

CVE-2026-26309 [MEDIUM] CWE-193 Envoy affected by off-by-one write in JsonEscaper::escapeString() Envoy affected by off-by-one write in JsonEscaper::escapeString() ### Summary An off-by-one write in Envoy::JsonEscaper::escapeString() can corrupt std::string null-termination, causing undefined behavior and potentially leading to crashes or out-of-bounds reads when the resulting string is later treated as a C-string. ### Details The bug is in the control-character escaping path in source/commo

CVE-2026-26310 [MEDIUM] CWE-20 Envoy vulnerable to crash for scoped ip address during DNS Envoy vulnerable to crash for scoped ip address during DNS ### Summary Calling `Utility::getAddressWithPort` with a scoped IPv6 addresses causes a crash. This utility is called in the data plane from the original_src filter and the dns filter. ### Details The crashing function is `Utility::getAddressWithPort`. The crash occurs if a string containing a scoped IPv6 address is passed to this function. Thi

CVE-2026-26311 [MEDIUM] CWE-416 Envoy: HTTP - filter chain execution on reset streams causing UAF crash Envoy: HTTP - filter chain execution on reset streams causing UAF crash **Note:** This vulnerability was originally reported to the Google OSS VRP (Issue ID: [477542544](https://issuetracker.google.com/issues/477542544)). The Google Security Team requested that I coordinate directly with the Envoy maintainers for triage and remediation. I am submitting this report here to facilitate that proc

CVE-2025-66220 [MEDIUM] CWE-170 Envoy's TLS certificate matcher for `match_typed_subject_alt_names` may incorrectly treat certificates containing an embedded null byte Envoy's TLS certificate matcher for `match_typed_subject_alt_names` may incorrectly treat certificates containing an embedded null byte ### Summary Envoy’s mTLS certificate matcher for `match_typed_subject_alt_names` may incorrectly treat certificates containing an embedded null byte (\0) inside an `OTHERNAME` SAN value as valid

CVE-2025-64527 [MEDIUM] CWE-476 Envoy crashes when JWT authentication is configured with the remote JWKS fetching Envoy crashes when JWT authentication is configured with the remote JWKS fetching ### Summary Envoy crashes when JWT authentication is configured with the remote JWKS fetching, `allow_missing_or_failed` is enabled, multiple JWT tokens are present in the request headers and the JWKS fetch fails. ### Details This is caused by a re-entry bug in the `JwksFetcherImpl`. When the first to

CVE-2025-64763 [LOW] CWE-693 Envoy forwards early CONNECT data in TCP proxy mode Envoy forwards early CONNECT data in TCP proxy mode ## Summary Forwarding of early CONNECT data in TCP proxy mode. ## Details Per [RFC 7231-4.3.6](https://www.rfc-editor.org/rfc/rfc7231#section-4.3.6) the sender of CONNECT (and all inbound proxies) switch to tunnel mode only after receiving 2xx response. However in TCP proxy mode, Envoy accepts client data before it has issued a 2xx response and eagerly proxies

CVE-2025-54588 [HIGH] CWE-416 Envoy: Race condition in Dynamic Forward Proxy leads to use-after-free and segmentation faults Envoy: Race condition in Dynamic Forward Proxy leads to use-after-free and segmentation faults ### Summary A use-after-free (UAF) vulnerability in Envoy's DNS cache causes abnormal process termination. Envoy may reallocate memory when processing a pending DNS resolution, causing list iterator to reference freed memory. ### Details The vulnerability exists in Envoy's Dy

CVE-2025-30157 [MEDIUM] CWE-460 Envoy crashes when HTTP ext_proc processes local replies Envoy crashes when HTTP ext_proc processes local replies ### Summary Envoy's ext_proc HTTP filter is at risk of crashing if a local reply is sent to the external server due to the filter's life time issue. A known situation is the fail of a websocket handshake will trigger a local reply leading to the crash of Envoy. ### PoC If both websocket and ext_proc are enabled, a failed handshake will trigger a loca

CVE-2019-9901 [CRITICAL] CWE-706 EnvoyProxy Envoy Missing HTTP URL path normalization EnvoyProxy Envoy Missing HTTP URL path normalization Envoy 1.9.0 and before does not normalize HTTP URL paths. A remote attacker may craft a relative path, e.g., `something/../admin`, to bypass access control, e.g., a block on `/admin`. A backend server could then interpret the non-normalized path and provide an attacker access beyond the scope provided for by the access control policy.