Envoy
by Envoyproxy
Source repositories
CVEs (95)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-44487 | Hig | 0.65 | 7.5 | 1.00 | KEV | Oct 10, 2023 | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. | |
| CVE-2024-21881 | Hig | 0.56 | — | 0.00 | Aug 12, 2024 | Inadequate Encryption Strength vulnerability allow an authenticated attacker to execute arbitrary OS Commands via encrypted package upload.This issue affects Envoy: 4.x and 5.x | ||
| CVE-2026-47220 | imp | 0.49 | 7.5 | 0.00 | Jun 26, 2026 | envoy: Envoy: Denial of Service via missing host header in specific logging configurations | ||
| CVE-2026-47774 | imp | 0.49 | 7.5 | 0.00 | Jun 4, 2026 | envoy: envoy: HTTP/2 Remote Denial of Service via HPACK compression bomb and Slowloris-style attack | ||
| CVE-2026-6994 | Med | 0.34 | 6.3 | 0.00 | Apr 25, 2026 | A weakness has been identified in Envoy up to 1.33.0. Affected is the function params.add of the file source/extensions/filters/http/header_mutation/header_mutation.cc of the component Query Parameter Handler. This manipulation causes injection. Remote exploitation of the attack… | ||
| CVE-2026-47205 | mod | 0.26 | — | 0.00 | Jun 26, 2026 | Envoy: ext_authz Use-After-Free during Stream Teardown with Per-Route Overrides | ||
| CVE-2024-30255 | 0.07 | — | 0.88 | Apr 4, 2024 | Envoy is a cloud-native, open source edge and service proxy. The HTTP/2 protocol stack in Envoy versions prior to 1.29.3, 1.28.2, 1.27.4, and 1.26.8 are vulnerable to CPU exhaustion due to flood of CONTINUATION frames. Envoy's HTTP/2 codec allows the client to send an unlimited… | |||
| CVE-2024-27919 | 0.07 | — | 0.87 | Apr 4, 2024 | Envoy is a cloud-native, open-source edge and service proxy. In versions 1.29.0 and 1.29.1, theEnvoy HTTP/2 protocol stack is vulnerable to the flood of CONTINUATION frames. Envoy's HTTP/2 codec does not reset a request when header map limits have been exceeded. This allows an… | |||
| CVE-2019-15226 | 0.05 | — | 0.65 | Oct 9, 2019 | Upon receiving each incoming request header data, Envoy will iterate over existing request headers to verify that the total size of the headers stays below a maximum limit. The implementation in versions 1.10.0 through 1.11.1 for HTTP/1.x traffic and all versions of Envoy for… | |||
| CVE-2021-29492 | 0.01 | — | 0.68 | May 28, 2021 | Envoy is a cloud-native edge/middle/service proxy. Envoy does not decode escaped slash sequences `%2F` and `%5C` in HTTP URL paths in versions 1.18.2 and before. A remote attacker may craft a path with escaped slashes, e.g. `/something%2F..%2Fadmin`, to bypass access control,… | |||
| CVE-2026-26330 | 0.00 | — | 0.00 | Mar 10, 2026 | Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, At the rate limit filter, if the response phase limit with apply_on_stream_done in the rate limit configuration is enabled and the response phase limit request fails directly, it… | |||
| CVE-2026-26311 | 0.00 | — | 0.00 | Mar 10, 2026 | Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, a logic vulnerability in Envoy's HTTP connection manager (FilterManager) that allows for Zombie Stream Filter Execution. This issue creates a "Use-After-Free" (UAF) or… | |||
| CVE-2026-26310 | 0.00 | — | 0.00 | Mar 10, 2026 | Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, calling Utility::getAddressWithPort with a scoped IPv6 addresses causes a crash. This utility is called in the data plane from the original_src filter and the dns filter. This… | |||
| CVE-2026-26309 | 0.00 | — | 0.00 | Mar 10, 2026 | Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, an off-by-one write in Envoy::JsonEscaper::escapeString() can corrupt std::string null-termination, causing undefined behavior and potentially leading to crashes or out-of-bounds… | |||
| CVE-2026-26308 | 0.00 | — | 0.00 | Mar 10, 2026 | Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, the Envoy RBAC (Role-Based Access Control) filter contains a logic vulnerability in how it validates HTTP headers when multiple values are present for the same header name.… | |||
| CVE-2025-66220 | 0.00 | — | 0.00 | Dec 3, 2025 | Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, Envoy’s mTLS certificate matcher for match_typed_subject_alt_names may incorrectly treat certificates containing an embedded null byte (\0) inside an OTHERNAME SAN value as… | |||
| CVE-2025-64763 | 0.00 | — | 0.00 | Dec 3, 2025 | Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, when Envoy is configured in TCP proxy mode to handle CONNECT requests, it accepts client data before issuing a 2xx response and forwards that data to the upstream TCP… | |||
| CVE-2025-64527 | 0.00 | — | 0.00 | Dec 3, 2025 | Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, Envoy crashes when JWT authentication is configured with the remote JWKS fetching, allow_missing_or_failed is enabled, multiple JWT tokens are present in the request headers… | |||
| CVE-2025-62504 | 0.00 | — | 0.00 | Oct 16, 2025 | Envoy is an open source edge and service proxy. Envoy versions earlier than 1.36.2, 1.35.6, 1.34.10, and 1.33.12 contain a use-after-free vulnerability in the Lua filter. When a Lua script executing in the response phase rewrites a response body so that its size exceeds the… | |||
| CVE-2025-62409 | 0.00 | — | 0.00 | Oct 16, 2025 | Envoy is a cloud-native, open source edge and service proxy. Prior to 1.36.1, 1.35.5, 1.34.9, and 1.33.10, large requests and responses can potentially trigger TCP connection pool crashes due to flow control management in Envoy. It will happen when the connection is closing but… |
- risk 0.65cvss 7.5epss 1.00
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
- risk 0.56cvss —epss 0.00
Inadequate Encryption Strength vulnerability allow an authenticated attacker to execute arbitrary OS Commands via encrypted package upload.This issue affects Envoy: 4.x and 5.x
- risk 0.49cvss 7.5epss 0.00
envoy: Envoy: Denial of Service via missing host header in specific logging configurations
- risk 0.49cvss 7.5epss 0.00
envoy: envoy: HTTP/2 Remote Denial of Service via HPACK compression bomb and Slowloris-style attack
- risk 0.34cvss 6.3epss 0.00
A weakness has been identified in Envoy up to 1.33.0. Affected is the function params.add of the file source/extensions/filters/http/header_mutation/header_mutation.cc of the component Query Parameter Handler. This manipulation causes injection. Remote exploitation of the attack…
- risk 0.26cvss —epss 0.00
Envoy: ext_authz Use-After-Free during Stream Teardown with Per-Route Overrides
- CVE-2024-30255Apr 4, 2024risk 0.07cvss —epss 0.88
Envoy is a cloud-native, open source edge and service proxy. The HTTP/2 protocol stack in Envoy versions prior to 1.29.3, 1.28.2, 1.27.4, and 1.26.8 are vulnerable to CPU exhaustion due to flood of CONTINUATION frames. Envoy's HTTP/2 codec allows the client to send an unlimited…
- CVE-2024-27919Apr 4, 2024risk 0.07cvss —epss 0.87
Envoy is a cloud-native, open-source edge and service proxy. In versions 1.29.0 and 1.29.1, theEnvoy HTTP/2 protocol stack is vulnerable to the flood of CONTINUATION frames. Envoy's HTTP/2 codec does not reset a request when header map limits have been exceeded. This allows an…
- CVE-2019-15226Oct 9, 2019risk 0.05cvss —epss 0.65
Upon receiving each incoming request header data, Envoy will iterate over existing request headers to verify that the total size of the headers stays below a maximum limit. The implementation in versions 1.10.0 through 1.11.1 for HTTP/1.x traffic and all versions of Envoy for…
- CVE-2021-29492May 28, 2021risk 0.01cvss —epss 0.68
Envoy is a cloud-native edge/middle/service proxy. Envoy does not decode escaped slash sequences `%2F` and `%5C` in HTTP URL paths in versions 1.18.2 and before. A remote attacker may craft a path with escaped slashes, e.g. `/something%2F..%2Fadmin`, to bypass access control,…
- CVE-2026-26330Mar 10, 2026risk 0.00cvss —epss 0.00
Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, At the rate limit filter, if the response phase limit with apply_on_stream_done in the rate limit configuration is enabled and the response phase limit request fails directly, it…
- CVE-2026-26311Mar 10, 2026risk 0.00cvss —epss 0.00
Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, a logic vulnerability in Envoy's HTTP connection manager (FilterManager) that allows for Zombie Stream Filter Execution. This issue creates a "Use-After-Free" (UAF) or…
- CVE-2026-26310Mar 10, 2026risk 0.00cvss —epss 0.00
Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, calling Utility::getAddressWithPort with a scoped IPv6 addresses causes a crash. This utility is called in the data plane from the original_src filter and the dns filter. This…
- CVE-2026-26309Mar 10, 2026risk 0.00cvss —epss 0.00
Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, an off-by-one write in Envoy::JsonEscaper::escapeString() can corrupt std::string null-termination, causing undefined behavior and potentially leading to crashes or out-of-bounds…
- CVE-2026-26308Mar 10, 2026risk 0.00cvss —epss 0.00
Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, the Envoy RBAC (Role-Based Access Control) filter contains a logic vulnerability in how it validates HTTP headers when multiple values are present for the same header name.…
- CVE-2025-66220Dec 3, 2025risk 0.00cvss —epss 0.00
Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, Envoy’s mTLS certificate matcher for match_typed_subject_alt_names may incorrectly treat certificates containing an embedded null byte (\0) inside an OTHERNAME SAN value as…
- CVE-2025-64763Dec 3, 2025risk 0.00cvss —epss 0.00
Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, when Envoy is configured in TCP proxy mode to handle CONNECT requests, it accepts client data before issuing a 2xx response and forwards that data to the upstream TCP…
- CVE-2025-64527Dec 3, 2025risk 0.00cvss —epss 0.00
Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, Envoy crashes when JWT authentication is configured with the remote JWKS fetching, allow_missing_or_failed is enabled, multiple JWT tokens are present in the request headers…
- CVE-2025-62504Oct 16, 2025risk 0.00cvss —epss 0.00
Envoy is an open source edge and service proxy. Envoy versions earlier than 1.36.2, 1.35.6, 1.34.10, and 1.33.12 contain a use-after-free vulnerability in the Lua filter. When a Lua script executing in the response phase rewrites a response body so that its size exceeds the…
- CVE-2025-62409Oct 16, 2025risk 0.00cvss —epss 0.00
Envoy is a cloud-native, open source edge and service proxy. Prior to 1.36.1, 1.35.5, 1.34.9, and 1.33.10, large requests and responses can potentially trigger TCP connection pool crashes due to flow control management in Envoy. It will happen when the connection is closing but…
Page 1 of 5