Unrated severityNVD Advisory· Published Oct 16, 2025· Updated Oct 16, 2025
Envoy allows large requests and responses to cause TCP connection pool crash
CVE-2025-62409
Description
Envoy is a cloud-native, open source edge and service proxy. Prior to 1.36.1, 1.35.5, 1.34.9, and 1.33.10, large requests and responses can potentially trigger TCP connection pool crashes due to flow control management in Envoy. It will happen when the connection is closing but upstream data is still coming, resulting in a buffer watermark callback nullptr reference. The vulnerability impacts TCP proxy and HTTP 1 & 2 mixed use cases based on ALPN. This vulnerability is fixed in 1.36.1, 1.35.5, 1.34.9, and 1.33.10.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
4prior to 1.36.1, 1.35.5, 1.34.9, and 1.33.10+ 1 more
- (no CPE)range: prior to 1.36.1, 1.35.5, 1.34.9, and 1.33.10
- (no CPE)range: >= 1.36.0, < 1.36.1
- osv-coords2 versions
< 1.33.10+ 1 more
- (no CPE)range: < 1.33.10
- (no CPE)range: < 1.27.3-1.1
Patches
Vulnerability mechanics
References
1- github.com/envoyproxy/envoy/security/advisories/GHSA-pq33-4jxh-hgm3mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.