from 0, < 1.24.12, >= 1.25.0, < 1.25.11, >= 1.26.0, < 1.26.6, >= 1.27.0, < 1.27.2
from 0, < 1.28.7, >= 1.29.0, < 1.29.9, >= 1.30.0, < 1.30.6, >= 1.31.0, < 1.31.2
CRITICAL9.8Incorrect configuration handling allows TLS session re-use without re-validation in Envoy
>= 1.7.0, < 1.18.6, >= 1.19.0, < 1.19.3, >= 1.20.0, < 1.20.2, >= 1.21.0, < 1.21.1
CRITICAL9.8Envoy gRPC client produces invalid protobuf when an HTTP header with non-UTF8 value is received.
from 0, < 1.22.9, >= 1.23.0, < 1.23.6, >= 1.24.0, < 1.24.4, >= 1.25.0, < 1.25.3
CRITICAL9.8Envoy vulnerable to OAuth2 credentials exploit with permanent validity
>= 1.23.0, < 1.23.12, >= 1.24.0, < 1.24.10, >= 1.25.0, < 1.25.9, >= 1.26.0, < 1.26.4
CRITICAL9.1Envoy Proxy use after free when route hash policy is configured with cookie attributes
from 0, < 1.27.7, >= 1.28.0, < 1.28.5, >= 1.29.0, < 1.29.7, >= 1.30.0, < 1.30.4
CRITICAL9.1Trivial authentication bypass in Envoy
from 0, < 1.22.1
CRITICAL9.1Envoy client may fake the header `x-envoy-original-path`
from 0, < 1.22.9, >= 1.23.0, < 1.23.6, >= 1.24.0, < 1.24.4, >= 1.25.0, < 1.25.3
CRITICAL9.1Envoy forwards invalid Http2/Http3 downstream headers
from 0, < 1.22.9, >= 1.23.0, < 1.23.6, >= 1.24.0, < 1.24.4, >= 1.25.0, < 1.25.3
CRITICAL9.1Envoy doesn't escape HTTP header values
from 0, < 1.22.9, >= 1.23.0, < 1.23.6, >= 1.24.0, < 1.24.4, >= 1.25.0, < 1.25.3
HIGH8.8Envoy: oAuth2 Filter Signout route will not clear cookies because of missing "secure;" flag
from 0, < 1.32.10, >= 1.33.0, < 1.33.7, >= 1.34.0, < 1.34.5, >= 1.35.0, < 1.35.1
HIGH8.8Envoy before 1.16.1 logs an incorrect downstream address because it considers only the directly connected peer, not the information in the…
from 0, < 1.16.1
HIGH8.6Incorrect Authorization with specially crafted requests
from 0, < 1.16.5, >= 1.17.0, < 1.17.4, >= 1.18.0, < 1.18.4, >= 1.19.0, < 1.19.1
HIGH8.6Incorrect handling of H2 GOAWAY + SETTINGS frames
from 0, < 1.18.4, >= 1.19.0, < 1.19.1
HIGH8.3Envoy through 1.15.0 only considers the first value when multiple header values are present for some HTTP headers.
from 0, < 1.12.7, >= 1.13.0, < 1.13.4, >= 1.14.0, < 1.14.4, >= 1.15.0, < 1.15.1
HIGH8.3Bypass of path matching rules using escaped slash characters
from 0, < 1.15.5, >= 1.16.0, < 1.16.4, >= 1.17.0, < 1.17.3, >= 1.18.0, < 1.18.3
HIGH8.3Incorrect concatenation of multiple value request headers in ext-authz extension
>= 1.16.0, < 1.16.5, >= 1.17.0, < 1.17.4, >= 1.18.0, < 1.18.4, >= 1.19.0, < 1.19.1
HIGH8.3Incorrectly handling of URI '#fragment' element as part of the path element
>= 1.16.0, < 1.16.5, >= 1.17.0, < 1.17.4, >= 1.18.0, < 1.18.4, >= 1.19.0, < 1.19.1
HIGH8.2Envoy incorrectly accepts HTTP 200 response for entering upgrade mode
from 0, < 1.27.6, >= 1.28.0, < 1.28.4, >= 1.29.0, < 1.29.5, >= 1.30.0, < 1.30.2
HIGH8.2JWT authentication bypass with unknown issuer token
>= 1.17.0, < 1.17.1
HIGH7.5Envoy has an RBAC Header Validation Bypass via Multi-Value Header Concatenation
from 0, < 1.34.13, >= 1.35.0, < 1.35.9, >= 1.36.0, < 1.36.5, >= 1.37.0, < 1.37.1
HIGH7.5Envoy Lua filter use-after-free when oversized rewritten response body causes crash
from 0, < 1.33.12, >= 1.34.0, < 1.34.10, >= 1.35.0, < 1.35.6, >= 1.36.0, < 1.36.2
HIGH7.5Envoy: Race condition in Dynamic Forward Proxy leads to use-after-free and segmentation faults
>= 1.34.0, < 1.34.5, >= 1.35.0, < 1.35.1
HIGH7.5Happy Eyeballs: Validate that additional_address are IP addresses instead of crashing when sorting in envoy
>= 1.30.0, < 1.30.8, >= 1.31.0, < 1.31.4, >= 1.32.0, < 1.32.2
HIGH7.5HTTP/1: sending overload crashes when the request is reset beforehand in envoy
from 0, < 1.29.12, >= 1.30.0, < 1.30.9, >= 1.31.0, < 1.31.5, >= 1.32.0, < 1.32.3
HIGH7.5oghttp2 crash on OnBeginHeadersForStream in envoy
>= 1.31.0, < 1.31.2
HIGH7.5Jwt filter crash in the clear route cache with remote JWKs in envoy
>= 1.29.0, < 1.29.9, >= 1.30.0, < 1.30.6, >= 1.31.0, < 1.31.2
HIGH7.5Envoy crashes for LocalReply in http async client
from 0, < 1.31.2
HIGH7.5Envoy affected by a crash in EnvoyQuicServerStream::OnInitialHeadersComplete()
from 0, < 1.27.6, >= 1.28.0, < 1.28.4, >= 1.29.0, < 1.29.5, >= 1.30.0, < 1.30.2
HIGH7.5Envoy crashes in QuicheDataReader::PeekVarInt62Length()
from 0, < 1.27.6, >= 1.28.0, < 1.28.4, >= 1.29.0, < 1.29.5, >= 1.30.0, < 1.30.2
HIGH7.5Envoy can enter an endless loop while decompressing Brotli data with extra input
>= 1.18.0, < 1.27.6, >= 1.28.0, < 1.28.4, >= 1.29.0, < 1.29.5, >= 1.30.0, < 1.30.2
HIGH7.5Envoy can crash due to uncaught nlohmann JSON exception
>= 1.28.0, < 1.28.4, >= 1.29.0, < 1.29.5, >= 1.30.0, < 1.30.2
HIGH7.5Envoy RELEASE_ASSERT using auto_sni with :authority header > 255 bytes
>= 1.13.0, < 1.27.5, >= 1.28.0, < 1.28.3, >= 1.29.0, < 1.29.4, >= 1.30.0, < 1.30.1
HIGH7.5HTTP/2: memory exhaustion due to CONTINUATION frame flood
>= 1.29.0, < 1.29.2
HIGH7.5HTTP/2: CPU exhaustion due to CONTINUATION frame flood
from 0, < 1.26.8, >= 1.27.0, < 1.27.4, >= 1.28.0, < 1.28.2, >= 1.29.0, < 1.29.3
HIGH7.5Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier may consume excessive amounts of memory when proxying HTTP/2 requests or responses with man…
from 0, < 1.12.5, >= 1.13.2, < 1.13.3, >= 1.14.2, < 1.14.3
HIGH7.5Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier is susceptible to increased memory usage in the case where an HTTP/2 client requests a larg…
from 0, < 1.12.5, >= 1.13.2, < 1.13.3, >= 1.14.2, < 1.14.3
HIGH7.5Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier may consume excessive amounts of memory when processing HTTP/1.1 headers with long field na…
from 0, < 1.12.5, >= 1.13.2, < 1.13.3, >= 1.14.2, < 1.14.3
HIGH7.5Envoy before 1.16.1 mishandles dropped and truncated datagrams, as demonstrated by a segmentation fault for a UDP packet size larger than 1…
from 0, < 1.16.1
HIGH7.5Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier may exhaust file descriptors and/or memory when accepting too many connections.
from 0, < 1.12.5, >= 1.13.0, < 1.13.3, >= 1.14.0, < 1.14.3
HIGH7.5An issue was discovered in Envoy through 1.71.1.
>= 1.14.6, < 1.14.7, >= 1.15.3, < 1.15.4, >= 1.16.2, < 1.16.3, >= 1.17.1, < 1.17.2
HIGH7.5An issue was discovered in Envoy through 1.71.1.
>= 1.16.2, < 1.16.3, >= 1.17.1, < 1.17.2
HIGH7.5An issue was discovered in Envoy 1.14.0.
>= 1.14.6, < 1.14.7, >= 1.15.3, < 1.15.4, >= 1.16.2, < 1.16.3, >= 1.17.1, < 1.17.2
HIGH7.5Excessive CPU utilization when closing HTTP/2 streams
>= 1.16.0, < 1.16.5, >= 1.17.0, < 1.17.4, >= 1.18.0, < 1.18.4, >= 1.19.0, < 1.19.1
HIGH7.5Incorrect handling of H/2 GOAWAY followed by SETTINGS frames
>= 1.18.0, < 1.18.4, >= 1.19.0, < 1.19.1
HIGH7.5Continued processing of requests after locally generated response
>= 1.16.0, < 1.16.5, >= 1.17.0, < 1.17.4, >= 1.18.0, < 1.18.4, >= 1.19.0, < 1.19.1
HIGH7.5Null pointer dereference in envoy
from 0, < 1.18.6, >= 1.19.0, < 1.19.3, >= 1.20.0, < 1.20.2, >= 1.21.0, < 1.21.1
HIGH7.5Use-after-free in Envoy
from 0, < 1.18.6, >= 1.19.0, < 1.19.3, >= 1.20.0, < 1.20.2, >= 1.21.0, < 1.21.1
HIGH7.5Crash when tunneling TCP over HTTP in Envoy
from 0, < 1.18.6, >= 1.19.0, < 1.19.3, >= 1.20.0, < 1.20.2, >= 1.21.0, < 1.21.1
HIGH7.5Incorrect handling of internal redirects results in crash in Envoy
from 0, < 1.18.6, >= 1.19.0, < 1.19.3, >= 1.20.0, < 1.20.2, >= 1.21.0, < 1.21.1
HIGH7.5Zip bomb vulnerability in Envoy
from 0, < 1.22.1
HIGH7.5Use after free in Envoy
from 0, < 1.22.1
HIGH7.5Reachable assertion in Envoy
from 0, < 1.22.1
HIGH7.5Envoy may crash when a redirect url without a state param is received in the oauth filter
from 0, < 1.22.9, >= 1.23.0, < 1.23.6, >= 1.24.0, < 1.24.4, >= 1.25.0, < 1.25.3
HIGH7.5Envoy vulnerable to CORS filter segfault when origin header is removed
>= 1.23.0, < 1.23.12, >= 1.24.0, < 1.24.10, >= 1.25.0, < 1.25.9, >= 1.26.0, < 1.26.4
HIGH7.5Envoy crashes when idle and request per try timeout occur within the backoff interval
>= 1.26.0, < 1.26.7, >= 1.27.0, < 1.27.3, >= 1.28.0, < 1.28.1, >= 1.29.0, < 1.29.1
HIGH7.5Envoy ext auth can be bypassed when Proxy protocol filter sets invalid UTF-8 metadata
>= 1.26.0, < 1.26.7, >= 1.27.0, < 1.27.3, >= 1.28.0, < 1.28.1, >= 1.29.0, < 1.29.1
HIGH7.5Envoy crashes when using an address type that isn’t supported by the OS
>= 1.26.0, < 1.26.7, >= 1.27.0, < 1.27.3, >= 1.28.0, < 1.28.1, >= 1.29.0, < 1.29.1
HIGH7.5Crash in proxy protocol when command type of LOCAL in Envoy
>= 1.26.0, < 1.26.7, >= 1.27.0, < 1.27.3, >= 1.28.0, < 1.28.1, >= 1.29.0, < 1.29.1
HIGH7.5Envoy vulnerable to HTTP/2 memory leak in nghttp2 codec
from 0, < 1.23.11, >= 1.24.0, < 1.24.9, >= 1.25.0, < 1.25.8, >= 1.26.0, < 1.26.3
HIGH7.5Excessive CPU usage in Pomerium
from 0, < 1.16.5, >= 1.17.0, < 1.17.4, >= 1.18.0, < 1.18.4, >= 1.19.0, < 1.19.1
HIGH7.1HTTP/1.1 multiple issues with envoy.reloadable_features.http1_balsa_delay_reset in envoy
>= 1.31.0, < 1.31.5, >= 1.32.0, < 1.32.3
MEDIUM6.5Envoy crashes when JWT authentication is configured with the remote JWKS fetching
from 0, < 1.33.13, >= 1.34.0, < 1.34.11, >= 1.35.0, < 1.35.7, >= 1.36.0, < 1.36.3
MEDIUM6.5Envoy crashes when HTTP ext_proc processes local replies
from 0, < 1.30.10, >= 1.31.0, < 1.31.6, >= 1.32.0, < 1.32.4, >= 1.33.0, < 1.33.1
MEDIUM6.5Potential manipulate `x-envoy` headers from external sources in envoy
from 0, < 1.28.7, >= 1.29.0, < 1.29.9, >= 1.30.0, < 1.30.6, >= 1.31.0, < 1.31.2
MEDIUM6.5Malicious log injection via access logs in envoy
from 0, < 1.28.7, >= 1.29.0, < 1.29.9, >= 1.30.0, < 1.30.6, >= 1.31.0, < 1.31.2
MEDIUM6.5Envoy OOM vector from HTTP async client with unbounded response buffer for mirror response
from 0, < 1.27.6, >= 1.28.0, < 1.28.4, >= 1.29.0, < 1.29.5, >= 1.30.0, < 1.30.2
MEDIUM6.5X.509 Extended Key Usage and Trust Purposes bypass in Envoy
from 0, < 1.18.6, >= 1.19.0, < 1.19.3, >= 1.20.0, < 1.20.2
MEDIUM6.5Crash when a cluster is deleted in Envoy
>= 1.20.0, < 1.20.2, >= 1.21.0, < 1.21.1
MEDIUM6.5Envoy may crash when a large request body is processed in Lua filter
from 0, < 1.22.9, >= 1.23.0, < 1.23.6, >= 1.24.0, < 1.24.4, >= 1.25.0, < 1.25.3
MEDIUM6.5Envoy's gRPC access log crash caused by the listener draining
>= 1.23.0, < 1.23.12, >= 1.24.0, < 1.24.10, >= 1.25.0, < 1.25.9, >= 1.26.0, < 1.26.4
MEDIUM5.9Envoy HTTP: filter chain execution on reset streams causing UAF crash
from 0, < 1.34.13, >= 1.35.0, < 1.35.9, >= 1.36.0, < 1.36.5, >= 1.37.0, < 1.37.1
MEDIUM5.9Crash for scoped ip address in Envoy during DNS
from 0, < 1.34.13, >= 1.35.0, < 1.35.9, >= 1.36.0, < 1.36.5, >= 1.37.0, < 1.37.1
MEDIUM5.9Envoy affected by a crash (use-after-free) in EnvoyQuicServerStream
from 0, < 1.27.6, >= 1.28.0, < 1.28.4, >= 1.29.0, < 1.29.5, >= 1.30.0, < 1.30.2
MEDIUM5.9X.509 subjectAltName matching bypass in Envoy
from 0, < 1.20.2
MEDIUM5.9Segmentation fault leading to crash in Envoy
from 0, < 1.22.1
MEDIUM5.4TLS Validation Vulnerability in Envoy
from 0, < 1.12.6, >= 1.13.0, < 1.13.4, >= 1.14.0, < 1.14.4
MEDIUM5.3Envoy global rate limit may crash when the response phase limit is enabled and the response phase request is failed directly
from 0, < 1.34.13, >= 1.35.0, < 1.35.9, >= 1.36.0, < 1.36.5, >= 1.37.0, < 1.37.1
MEDIUM5.3Envoy has an off-by-one write in JsonEscaper::escapeString()
from 0, < 1.34.13, >= 1.35.0, < 1.35.9, >= 1.36.0, < 1.36.5, >= 1.37.0, < 1.37.1
MEDIUM5.3Envoy vulnerable to bypass of RBAC uri_template permission
from 0, < 1.31.8, >= 1.32.0, < 1.32.6, >= 1.33.0, < 1.33.3, >= 1.34.0, < 1.34.1
MEDIUM5.3CNCF Envoy through 1.13.0 TLS inspector bypass.
from 0, < 1.12.3, >= 1.13.0, < 1.13.1
MEDIUM5.3Envoy vulnerable to incorrect handling of HTTP requests and responses with mixed case schemes
>= 1.23.0, < 1.23.12, >= 1.24.0, < 1.24.10, >= 1.25.0, < 1.25.9, >= 1.26.0, < 1.26.4
MEDIUM5.3Excessive CPU usage when URI template matcher is configured using regex in Envoy
>= 1.26.0, < 1.26.7, >= 1.27.0, < 1.27.3, >= 1.28.0, < 1.28.1, >= 1.29.0, < 1.29.1
MEDIUM5.0Envoy’s TLS certificate matcher for `match_typed_subject_alt_names` may incorrectly treat certificates containing an embedded null byte
from 0, < 1.33.13, >= 1.34.0, < 1.34.11, >= 1.35.0, < 1.35.7, >= 1.36.0, < 1.36.3
LOW3.7Envoy forwards early CONNECT data in TCP proxy mode
from 0, < 1.33.13, >= 1.34.0, < 1.34.11, >= 1.35.0, < 1.35.7, >= 1.36.0, < 1.36.3
LOW3.1Istio through 1.5.1 and Envoy through 1.14.1 have a data-leak issue.
from 0, < 1.14.2
—Envoy allows large requests and responses to cause TCP connection pool crash
from 0, < 1.33.10, >= 1.34.0, < 1.34.9, >= 1.35.0, < 1.35.5, >= 1.36.0, < 1.36.1