High severityNVD Advisory· Published Jan 23, 2025· Updated Jan 23, 2025
Envoy Admin Interface Exposed through prometheus metrics endpoint
CVE-2025-24030
Description
Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. A user with access to the Kubernetes cluster can use a path traversal attack to execute Envoy Admin interface commands on proxies managed by any version of Envoy Gateway prior to 1.2.6. The admin interface can be used to terminate the Envoy process and extract the Envoy configuration (possibly containing confidential data). Version 1.2.6 fixes the issue. As a workaround, the EnvoyProxy API can be used to apply a bootstrap config patch that restricts access strictly to the prometheus stats endpoint. Find below an example of such a bootstrap patch.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/envoyproxy/gatewayGo | < 1.2.6 | 1.2.6 |
Affected products
1- Range: < 1.2.6
Patches
13eb3301ab3dbMerge commit from fork
57 files changed · +272 −53
internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml+10 −2 modified@@ -52,6 +52,7 @@ envoyProxyForGatewayClass: typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: eg-ready-http + normalize_path: true route_config: name: local_route virtual_hosts: @@ -60,7 +61,10 @@ envoyProxyForGatewayClass: - "*" routes: - match: - prefix: /stats/prometheus + path: /stats/prometheus + headers: + - name: ":method" + exact_match: GET route: cluster: prometheus_stats http_filters: @@ -677,6 +681,7 @@ xds: - name: envoy.filters.http.router typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + normalizePath: true routeConfig: name: local_route virtualHosts: @@ -685,7 +690,10 @@ xds: name: prometheus_stats routes: - match: - prefix: /stats/prometheus + headers: + - exactMatch: GET + name: :method + path: /stats/prometheus route: cluster: prometheus_stats statPrefix: eg-ready-http
internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json+8 −1 modified@@ -268,6 +268,7 @@ } } ], + "normalizePath": true, "routeConfig": { "name": "local_route", "virtualHosts": [ @@ -279,7 +280,13 @@ "routes": [ { "match": { - "prefix": "/stats/prometheus" + "headers": [ + { + "exactMatch": "GET", + "name": ":method" + } + ], + "path": "/stats/prometheus" }, "route": { "cluster": "prometheus_stats"
internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml+5 −1 modified@@ -156,6 +156,7 @@ xds: - name: envoy.filters.http.router typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + normalizePath: true routeConfig: name: local_route virtualHosts: @@ -164,7 +165,10 @@ xds: name: prometheus_stats routes: - match: - prefix: /stats/prometheus + headers: + - exactMatch: GET + name: :method + path: /stats/prometheus route: cluster: prometheus_stats statPrefix: eg-ready-http
internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.bootstrap.yaml+5 −1 modified@@ -155,6 +155,7 @@ xds: - name: envoy.filters.http.router typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + normalizePath: true routeConfig: name: local_route virtualHosts: @@ -163,7 +164,10 @@ xds: name: prometheus_stats routes: - match: - prefix: /stats/prometheus + headers: + - exactMatch: GET + name: :method + path: /stats/prometheus route: cluster: prometheus_stats statPrefix: eg-ready-http
internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json+8 −1 modified@@ -268,6 +268,7 @@ } } ], + "normalizePath": true, "routeConfig": { "name": "local_route", "virtualHosts": [ @@ -279,7 +280,13 @@ "routes": [ { "match": { - "prefix": "/stats/prometheus" + "headers": [ + { + "exactMatch": "GET", + "name": ":method" + } + ], + "path": "/stats/prometheus" }, "route": { "cluster": "prometheus_stats"
internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml+5 −1 modified@@ -156,6 +156,7 @@ xds: - name: envoy.filters.http.router typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + normalizePath: true routeConfig: name: local_route virtualHosts: @@ -164,7 +165,10 @@ xds: name: prometheus_stats routes: - match: - prefix: /stats/prometheus + headers: + - exactMatch: GET + name: :method + path: /stats/prometheus route: cluster: prometheus_stats statPrefix: eg-ready-http
internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.bootstrap.yaml+5 −1 modified@@ -155,6 +155,7 @@ xds: - name: envoy.filters.http.router typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + normalizePath: true routeConfig: name: local_route virtualHosts: @@ -163,7 +164,10 @@ xds: name: prometheus_stats routes: - match: - prefix: /stats/prometheus + headers: + - exactMatch: GET + name: :method + path: /stats/prometheus route: cluster: prometheus_stats statPrefix: eg-ready-http
internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml+5 −1 modified@@ -156,6 +156,7 @@ xds: - name: envoy.filters.http.router typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + normalizePath: true routeConfig: name: local_route virtualHosts: @@ -164,7 +165,10 @@ xds: name: prometheus_stats routes: - match: - prefix: /stats/prometheus + headers: + - exactMatch: GET + name: :method + path: /stats/prometheus route: cluster: prometheus_stats statPrefix: eg-ready-http
internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml+5 −1 modified@@ -84,6 +84,7 @@ spec: typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: eg-ready-http + normalize_path: true route_config: name: local_route virtual_hosts: @@ -92,7 +93,10 @@ spec: - "*" routes: - match: - prefix: /stats/prometheus + path: /stats/prometheus + headers: + - name: ":method" + exact_match: GET route: cluster: prometheus_stats http_filters:
internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml+5 −1 modified@@ -83,6 +83,7 @@ spec: typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: eg-ready-http + normalize_path: true route_config: name: local_route virtual_hosts: @@ -91,7 +92,10 @@ spec: - "*" routes: - match: - prefix: /stats/prometheus + path: /stats/prometheus + headers: + - name: ":method" + exact_match: GET route: cluster: prometheus_stats http_filters:
internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml+5 −1 modified@@ -83,6 +83,7 @@ spec: typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: eg-ready-http + normalize_path: true route_config: name: local_route virtual_hosts: @@ -91,7 +92,10 @@ spec: - "*" routes: - match: - prefix: /stats/prometheus + path: /stats/prometheus + headers: + - name: ":method" + exact_match: GET route: cluster: prometheus_stats http_filters:
internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml+1 −0 modified@@ -79,6 +79,7 @@ spec: typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: eg-ready-http + normalize_path: true route_config: name: local_route http_filters:
internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml+5 −1 modified@@ -83,6 +83,7 @@ spec: typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: eg-ready-http + normalize_path: true route_config: name: local_route virtual_hosts: @@ -91,7 +92,10 @@ spec: - "*" routes: - match: - prefix: /stats/prometheus + path: /stats/prometheus + headers: + - name: ":method" + exact_match: GET route: cluster: prometheus_stats http_filters:
internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml+5 −1 modified@@ -92,6 +92,7 @@ spec: typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: eg-ready-http + normalize_path: true route_config: name: local_route virtual_hosts: @@ -100,7 +101,10 @@ spec: - "*" routes: - match: - prefix: /stats/prometheus + path: /stats/prometheus + headers: + - name: ":method" + exact_match: GET route: cluster: prometheus_stats http_filters:
internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml+5 −1 modified@@ -83,6 +83,7 @@ spec: typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: eg-ready-http + normalize_path: true route_config: name: local_route virtual_hosts: @@ -91,7 +92,10 @@ spec: - "*" routes: - match: - prefix: /stats/prometheus + path: /stats/prometheus + headers: + - name: ":method" + exact_match: GET route: cluster: prometheus_stats http_filters:
internal/infrastructure/kubernetes/proxy/testdata/daemonsets/shutdown-manager.yaml+5 −1 modified@@ -83,6 +83,7 @@ spec: typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: eg-ready-http + normalize_path: true route_config: name: local_route virtual_hosts: @@ -91,7 +92,10 @@ spec: - "*" routes: - match: - prefix: /stats/prometheus + path: /stats/prometheus + headers: + - name: ":method" + exact_match: GET route: cluster: prometheus_stats http_filters:
internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml+5 −1 modified@@ -83,6 +83,7 @@ spec: typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: eg-ready-http + normalize_path: true route_config: name: local_route virtual_hosts: @@ -91,7 +92,10 @@ spec: - "*" routes: - match: - prefix: /stats/prometheus + path: /stats/prometheus + headers: + - name: ":method" + exact_match: GET route: cluster: prometheus_stats http_filters:
internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml+5 −1 modified@@ -88,6 +88,7 @@ spec: typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: eg-ready-http + normalize_path: true route_config: name: local_route virtual_hosts: @@ -96,7 +97,10 @@ spec: - "*" routes: - match: - prefix: /stats/prometheus + path: /stats/prometheus + headers: + - name: ":method" + exact_match: GET route: cluster: prometheus_stats http_filters:
internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml+5 −1 modified@@ -83,6 +83,7 @@ spec: typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: eg-ready-http + normalize_path: true route_config: name: local_route virtual_hosts: @@ -91,7 +92,10 @@ spec: - "*" routes: - match: - prefix: /stats/prometheus + path: /stats/prometheus + headers: + - name: ":method" + exact_match: GET route: cluster: prometheus_stats http_filters:
internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml+5 −1 modified@@ -83,6 +83,7 @@ spec: typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: eg-ready-http + normalize_path: true route_config: name: local_route virtual_hosts: @@ -91,7 +92,10 @@ spec: - "*" routes: - match: - prefix: /stats/prometheus + path: /stats/prometheus + headers: + - name: ":method" + exact_match: GET route: cluster: prometheus_stats http_filters:
internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml+5 −1 modified@@ -83,6 +83,7 @@ spec: typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: eg-ready-http + normalize_path: true route_config: name: local_route virtual_hosts: @@ -91,7 +92,10 @@ spec: - "*" routes: - match: - prefix: /stats/prometheus + path: /stats/prometheus + headers: + - name: ":method" + exact_match: GET route: cluster: prometheus_stats http_filters:
internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml+5 −1 modified@@ -83,6 +83,7 @@ spec: typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: eg-ready-http + normalize_path: true route_config: name: local_route virtual_hosts: @@ -91,7 +92,10 @@ spec: - "*" routes: - match: - prefix: /stats/prometheus + path: /stats/prometheus + headers: + - name: ":method" + exact_match: GET route: cluster: prometheus_stats http_filters:
internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml+5 −1 modified@@ -83,6 +83,7 @@ spec: typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: eg-ready-http + normalize_path: true route_config: name: local_route virtual_hosts: @@ -91,7 +92,10 @@ spec: - "*" routes: - match: - prefix: /stats/prometheus + path: /stats/prometheus + headers: + - name: ":method" + exact_match: GET route: cluster: prometheus_stats http_filters:
internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml+5 −1 modified@@ -89,6 +89,7 @@ spec: typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: eg-ready-http + normalize_path: true route_config: name: local_route virtual_hosts: @@ -97,7 +98,10 @@ spec: - "*" routes: - match: - prefix: /stats/prometheus + path: /stats/prometheus + headers: + - name: ":method" + exact_match: GET route: cluster: prometheus_stats http_filters:
internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml+5 −1 modified@@ -89,6 +89,7 @@ spec: typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: eg-ready-http + normalize_path: true route_config: name: local_route virtual_hosts: @@ -97,7 +98,10 @@ spec: - "*" routes: - match: - prefix: /stats/prometheus + path: /stats/prometheus + headers: + - name: ":method" + exact_match: GET route: cluster: prometheus_stats http_filters:
internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml+5 −1 modified@@ -88,6 +88,7 @@ spec: typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: eg-ready-http + normalize_path: true route_config: name: local_route virtual_hosts: @@ -96,7 +97,10 @@ spec: - "*" routes: - match: - prefix: /stats/prometheus + path: /stats/prometheus + headers: + - name: ":method" + exact_match: GET route: cluster: prometheus_stats http_filters:
internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml+5 −1 modified@@ -87,6 +87,7 @@ spec: typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: eg-ready-http + normalize_path: true route_config: name: local_route virtual_hosts: @@ -95,7 +96,10 @@ spec: - "*" routes: - match: - prefix: /stats/prometheus + path: /stats/prometheus + headers: + - name: ":method" + exact_match: GET route: cluster: prometheus_stats http_filters:
internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml+1 −0 modified@@ -83,6 +83,7 @@ spec: typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: eg-ready-http + normalize_path: true route_config: name: local_route http_filters:
internal/infrastructure/kubernetes/proxy/testdata/deployments/dual-stack.yaml+5 −1 modified@@ -88,6 +88,7 @@ spec: typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: eg-ready-http + normalize_path: true route_config: name: local_route virtual_hosts: @@ -96,7 +97,10 @@ spec: - "*" routes: - match: - prefix: /stats/prometheus + path: /stats/prometheus + headers: + - name: ":method" + exact_match: GET route: cluster: prometheus_stats http_filters:
internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml+5 −1 modified@@ -88,6 +88,7 @@ spec: typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: eg-ready-http + normalize_path: true route_config: name: local_route virtual_hosts: @@ -96,7 +97,10 @@ spec: - "*" routes: - match: - prefix: /stats/prometheus + path: /stats/prometheus + headers: + - name: ":method" + exact_match: GET route: cluster: prometheus_stats http_filters:
internal/infrastructure/kubernetes/proxy/testdata/deployments/ipv6.yaml+5 −1 modified@@ -88,6 +88,7 @@ spec: typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: eg-ready-http + normalize_path: true route_config: name: local_route virtual_hosts: @@ -96,7 +97,10 @@ spec: - "*" routes: - match: - prefix: /stats/prometheus + path: /stats/prometheus + headers: + - name: ":method" + exact_match: GET route: cluster: prometheus_stats http_filters:
internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml+5 −1 modified@@ -96,6 +96,7 @@ spec: typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: eg-ready-http + normalize_path: true route_config: name: local_route virtual_hosts: @@ -104,7 +105,10 @@ spec: - "*" routes: - match: - prefix: /stats/prometheus + path: /stats/prometheus + headers: + - name: ":method" + exact_match: GET route: cluster: prometheus_stats http_filters:
internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml+5 −1 modified@@ -87,6 +87,7 @@ spec: typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: eg-ready-http + normalize_path: true route_config: name: local_route virtual_hosts: @@ -95,7 +96,10 @@ spec: - "*" routes: - match: - prefix: /stats/prometheus + path: /stats/prometheus + headers: + - name: ":method" + exact_match: GET route: cluster: prometheus_stats http_filters:
internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml+5 −1 modified@@ -87,6 +87,7 @@ spec: typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: eg-ready-http + normalize_path: true route_config: name: local_route virtual_hosts: @@ -95,7 +96,10 @@ spec: - "*" routes: - match: - prefix: /stats/prometheus + path: /stats/prometheus + headers: + - name: ":method" + exact_match: GET route: cluster: prometheus_stats http_filters:
internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml+5 −1 modified@@ -88,6 +88,7 @@ spec: typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: eg-ready-http + normalize_path: true route_config: name: local_route virtual_hosts: @@ -96,7 +97,10 @@ spec: - "*" routes: - match: - prefix: /stats/prometheus + path: /stats/prometheus + headers: + - name: ":method" + exact_match: GET route: cluster: prometheus_stats http_filters:
internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml+5 −1 modified@@ -92,6 +92,7 @@ spec: typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: eg-ready-http + normalize_path: true route_config: name: local_route virtual_hosts: @@ -100,7 +101,10 @@ spec: - "*" routes: - match: - prefix: /stats/prometheus + path: /stats/prometheus + headers: + - name: ":method" + exact_match: GET route: cluster: prometheus_stats http_filters:
internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml+5 −1 modified@@ -87,6 +87,7 @@ spec: typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: eg-ready-http + normalize_path: true route_config: name: local_route virtual_hosts: @@ -95,7 +96,10 @@ spec: - "*" routes: - match: - prefix: /stats/prometheus + path: /stats/prometheus + headers: + - name: ":method" + exact_match: GET route: cluster: prometheus_stats http_filters:
internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml+5 −1 modified@@ -87,6 +87,7 @@ spec: typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: eg-ready-http + normalize_path: true route_config: name: local_route virtual_hosts: @@ -95,7 +96,10 @@ spec: - "*" routes: - match: - prefix: /stats/prometheus + path: /stats/prometheus + headers: + - name: ":method" + exact_match: GET route: cluster: prometheus_stats http_filters:
internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml+5 −1 modified@@ -87,6 +87,7 @@ spec: typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: eg-ready-http + normalize_path: true route_config: name: local_route virtual_hosts: @@ -95,7 +96,10 @@ spec: - "*" routes: - match: - prefix: /stats/prometheus + path: /stats/prometheus + headers: + - name: ":method" + exact_match: GET route: cluster: prometheus_stats http_filters:
internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml+5 −1 modified@@ -87,6 +87,7 @@ spec: typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: eg-ready-http + normalize_path: true route_config: name: local_route virtual_hosts: @@ -95,7 +96,10 @@ spec: - "*" routes: - match: - prefix: /stats/prometheus + path: /stats/prometheus + headers: + - name: ":method" + exact_match: GET route: cluster: prometheus_stats http_filters:
internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml+5 −1 modified@@ -87,6 +87,7 @@ spec: typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: eg-ready-http + normalize_path: true route_config: name: local_route virtual_hosts: @@ -95,7 +96,10 @@ spec: - "*" routes: - match: - prefix: /stats/prometheus + path: /stats/prometheus + headers: + - name: ":method" + exact_match: GET route: cluster: prometheus_stats http_filters:
internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml+5 −1 modified@@ -87,6 +87,7 @@ spec: typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: eg-ready-http + normalize_path: true route_config: name: local_route virtual_hosts: @@ -95,7 +96,10 @@ spec: - "*" routes: - match: - prefix: /stats/prometheus + path: /stats/prometheus + headers: + - name: ":method" + exact_match: GET route: cluster: prometheus_stats http_filters:
internal/xds/bootstrap/bootstrap.yaml.tpl+5 −1 modified@@ -77,6 +77,7 @@ static_resources: typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: eg-ready-http + normalize_path: true route_config: name: local_route {{- if .EnablePrometheus }} @@ -86,7 +87,10 @@ static_resources: - "*" routes: - match: - prefix: /stats/prometheus + path: /stats/prometheus + headers: + - name: ":method" + exact_match: GET route: cluster: prometheus_stats {{- if .EnablePrometheusCompression }}
internal/xds/bootstrap/testdata/merge/default.out.yaml+5 −1 modified@@ -157,6 +157,7 @@ staticResources: - name: envoy.filters.http.router typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + normalizePath: true routeConfig: name: local_route virtualHosts: @@ -165,7 +166,10 @@ staticResources: name: prometheus_stats routes: - match: - prefix: /stats/prometheus + headers: + - exactMatch: GET + name: :method + path: /stats/prometheus route: cluster: prometheus_stats statPrefix: eg-ready-http
internal/xds/bootstrap/testdata/merge/merge-user-bootstrap.out.yaml+5 −1 modified@@ -163,6 +163,7 @@ staticResources: - name: envoy.filters.http.router typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + normalizePath: true routeConfig: name: local_route virtualHosts: @@ -171,7 +172,10 @@ staticResources: name: prometheus_stats routes: - match: - prefix: /stats/prometheus + headers: + - exactMatch: GET + name: :method + path: /stats/prometheus route: cluster: prometheus_stats statPrefix: eg-ready-http
internal/xds/bootstrap/testdata/merge/patch-global-config.out.yaml+5 −1 modified@@ -154,6 +154,7 @@ static_resources: - name: envoy.filters.http.router typed_config: '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + normalize_path: true route_config: name: local_route virtual_hosts: @@ -162,7 +163,10 @@ static_resources: name: prometheus_stats routes: - match: - prefix: /stats/prometheus + headers: + - exact_match: GET + name: :method + path: /stats/prometheus route: cluster: prometheus_stats stat_prefix: eg-ready-http
internal/xds/bootstrap/testdata/merge/stats_sinks.out.yaml+5 −1 modified@@ -174,6 +174,7 @@ staticResources: - name: envoy.filters.http.router typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + normalizePath: true routeConfig: name: local_route virtualHosts: @@ -182,7 +183,10 @@ staticResources: name: prometheus_stats routes: - match: - prefix: /stats/prometheus + headers: + - exactMatch: GET + name: :method + path: /stats/prometheus route: cluster: prometheus_stats statPrefix: eg-ready-http
internal/xds/bootstrap/testdata/render/custom-server-port.yaml+5 −1 modified@@ -43,6 +43,7 @@ static_resources: typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: eg-ready-http + normalize_path: true route_config: name: local_route virtual_hosts: @@ -51,7 +52,10 @@ static_resources: - "*" routes: - match: - prefix: /stats/prometheus + path: /stats/prometheus + headers: + - name: ":method" + exact_match: GET route: cluster: prometheus_stats http_filters:
internal/xds/bootstrap/testdata/render/custom-stats-matcher.yaml+5 −1 modified@@ -54,6 +54,7 @@ static_resources: typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: eg-ready-http + normalize_path: true route_config: name: local_route virtual_hosts: @@ -62,7 +63,10 @@ static_resources: - "*" routes: - match: - prefix: /stats/prometheus + path: /stats/prometheus + headers: + - name: ":method" + exact_match: GET route: cluster: prometheus_stats http_filters:
internal/xds/bootstrap/testdata/render/disable-prometheus.yaml+1 −0 modified@@ -43,6 +43,7 @@ static_resources: typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: eg-ready-http + normalize_path: true route_config: name: local_route http_filters:
internal/xds/bootstrap/testdata/render/enable-prometheus-gzip-compression.yaml+5 −1 modified@@ -43,6 +43,7 @@ static_resources: typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: eg-ready-http + normalize_path: true route_config: name: local_route virtual_hosts: @@ -51,7 +52,10 @@ static_resources: - "*" routes: - match: - prefix: /stats/prometheus + path: /stats/prometheus + headers: + - name: ":method" + exact_match: GET route: cluster: prometheus_stats typed_per_filter_config:
internal/xds/bootstrap/testdata/render/enable-prometheus.yaml+5 −1 modified@@ -43,6 +43,7 @@ static_resources: typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: eg-ready-http + normalize_path: true route_config: name: local_route virtual_hosts: @@ -51,7 +52,10 @@ static_resources: - "*" routes: - match: - prefix: /stats/prometheus + path: /stats/prometheus + headers: + - name: ":method" + exact_match: GET route: cluster: prometheus_stats http_filters:
internal/xds/bootstrap/testdata/render/ipv6.yaml+5 −1 modified@@ -44,6 +44,7 @@ static_resources: typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: eg-ready-http + normalize_path: true route_config: name: local_route virtual_hosts: @@ -52,7 +53,10 @@ static_resources: - "*" routes: - match: - prefix: /stats/prometheus + path: /stats/prometheus + headers: + - name: ":method" + exact_match: GET route: cluster: prometheus_stats http_filters:
internal/xds/bootstrap/testdata/render/otel-metrics-backendref.yaml+1 −0 modified@@ -50,6 +50,7 @@ static_resources: typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: eg-ready-http + normalize_path: true route_config: name: local_route http_filters:
internal/xds/bootstrap/testdata/render/otel-metrics.yaml+1 −0 modified@@ -50,6 +50,7 @@ static_resources: typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: eg-ready-http + normalize_path: true route_config: name: local_route http_filters:
internal/xds/bootstrap/testdata/render/with-max-heap-size-bytes.yaml+5 −1 modified@@ -43,6 +43,7 @@ static_resources: typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: eg-ready-http + normalize_path: true route_config: name: local_route virtual_hosts: @@ -51,7 +52,10 @@ static_resources: - "*" routes: - match: - prefix: /stats/prometheus + path: /stats/prometheus + headers: + - name: ":method" + exact_match: GET route: cluster: prometheus_stats http_filters:
release-notes/current.yaml+1 −1 modified@@ -14,7 +14,7 @@ breaking changes: | # Updates addressing vulnerabilities, security flaws, or compliance requirements. security updates: | - Add a security update here + Fixed vulnerability which exposed the Envoy admin interface through the prometheus stats endpoint. # New features or capabilities added in this release. new features: |
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-j777-63hf-hx76ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-24030ghsaADVISORY
- github.com/envoyproxy/gateway/commit/3eb3301ab3dbf12b201b47bdb6074d1233be07bdghsax_refsource_MISCWEB
- github.com/envoyproxy/gateway/security/advisories/GHSA-j777-63hf-hx76ghsax_refsource_CONFIRMWEB
- www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edgeghsax_refsource_MISCWEB
- www.envoyproxy.io/docs/envoy/latest/operations/adminghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.