CVE-2025-30157 – github.com/envoyproxy/envoy

Package

Manager: go
Name: github.com/envoyproxy/envoy
Vulnerable Version: >=0 <1.30.10 || >=1.31.0 <1.31.6 || >=1.32.0 <1.32.4 || >=1.33.0 <1.33.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 4e-05 pctl0.00185

Details

Envoy crashes when HTTP ext_proc processes local replies ### Summary Envoy's ext_proc HTTP filter is at risk of crashing if a local reply is sent to the external server due to the filter's life time issue. A known situation is the fail of a websocket handshake will trigger a local reply leading to the crash of Envoy. ### PoC If both websocket and ext_proc are enabled, a failed handshake will trigger a local reply, thus ext_proc will crash. ### Mitigation 1. Disable websocket traffic 2. Change the websocket response from backend to always return `101 Switch protocol` based on RFC. 3. Apply the patch and the ext_proc filter will not send the local reply that is generated by Envoy to the ext_proc server for processing. 4. Apply the patch that the router will cancel the upstream requests when sending a local reply. ### Impact Denial of service ### Reporter Vasilios Syrakis Fernando Cainelli

Metadata

Created: 2025-03-21T15:23:50Z
Modified: 2025-03-21T15:43:00Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-cf3q-gqg7-3fm9/GHSA-cf3q-gqg7-3fm9.json
CWE IDs: ["CWE-460"]
Alternative ID: GHSA-cf3q-gqg7-3fm9
Finding: F008
Auto approve: 1