Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Envoy — Vulnerabilities & Security Advisories 77

All 77 CVE vulnerabilities found in Envoy, with AI-generated Chinese analysis, references, and POCs.

This page aggregates known vulnerabilities for the Envoy proxy server, focusing on common weakness categories and associated tags within the software supply chain. It collects data on critical, high, and medium severity issues affecting the Envoy ecosystem, covering the historical period from initial public release up to the present day. Here, users can track vendor advisories related to security patches, understand the mechanics of specific weakness classes such as buffer overflows or injection flaws, and look up a product’s vulnerability history to assess risk exposure over time. The collected information aims to provide a centralized view of security trends, enabling developers and operators to prioritize remediation efforts effectively. By organizing entries by severity and release date, the resource facilitates better decision-making for maintaining the integrity of distributed systems that rely on Envoy for service mesh management. All data points are sourced from official vendor announcements and reputable security databases, ensuring accuracy and reliability for technical audiences.

Vendor: envoyproxy

CVE IDTitleCVSSSeverityPublished
CVE-2024-32975 Envoy crashes in QuicheDataReader::PeekVarInt62Length() CWE-191 5.9 Medium2024-06-04
CVE-2024-32976 Envoy can enter an endless loop while decompressing Brotli data with extra input CWE-835 7.5 High2024-06-04
CVE-2024-34362 Envoy affected by a crash (use-after-free) in EnvoyQuicServerStream CWE-416 5.9 Medium2024-06-04
CVE-2024-34363 Envoy can crash due to uncaught nlohmann JSON exception CWE-248 7.5 High2024-06-04
CVE-2024-34364 Envoy OOM vector from HTTP async client with unbounded response buffer for mirror response CWE-400 5.7 Medium2024-06-04
CVE-2024-23326 Envoy incorrectly accepts HTTP 200 response for entering upgrade mode CWE-391 5.9 Medium2024-06-04
CVE-2024-32475 Envoy RELEASE_ASSERT using auto_sni with :authority header > 255 bytes CWE-253 7.5 High2024-04-18
CVE-2024-30255 HTTP/2: CPU exhaustion due to CONTINUATION frame flood CWE-390 5.3 Medium2024-04-04
CVE-2024-27919 HTTP/2: memory exhaustion due to CONTINUATION frame flood CWE-390 7.5 High2024-04-04
CVE-2024-23322 Envoy crashes when idle and request per try timeout occur within the backoff interval CWE-416 7.5 High2024-02-09
CVE-2024-23323 Excessive CPU usage when URI template matcher is configured using regex in Envoy CWE-400 4.3 Medium2024-02-09
CVE-2024-23324 Envoy ext auth can be bypassed when Proxy protocol filter sets invalid UTF-8 metadata CWE-20 8.6 High2024-02-09
CVE-2024-23325 Envoy crashes when using an address type that isn’t supported by the OS CWE-755 7.5 High2024-02-09
CVE-2024-23327 Crash in proxy protocol when command type of LOCAL in Envoy CWE-476 7.5 High2024-02-09
CVE-2023-35944 Envoy vulnerable to incorrect handling of HTTP requests and responses with mixed case schemes CWE-20 8.2 High2023-07-25
CVE-2023-35943 Envoy vulnerable to CORS filter segfault when origin header is removed CWE-416 6.3 Medium2023-07-25
CVE-2023-35942 Envoy's gRPC access log crash caused by the listener draining CWE-416 6.5 Medium2023-07-25
CVE-2023-35941 Envoy vulnerable to OAuth2 credentials exploit with permanent validity CWE-116 8.6 High2023-07-25
CVE-2023-35945 Envoy vulnerable to HTTP/2 memory leak in nghttp2 codec CWE-400 7.5 High2023-07-13
CVE-2023-33869 Enphase Envoy OS Command Injection CWE-78 6.3 Medium2023-06-20
CVE-2023-27496 Envoy may crash when a redirect url without a state param is received in the oauth filter CWE-20 6.5 Medium2023-04-04
CVE-2023-27493 Envoy doesn't escape HTTP header values CWE-20 8.1 High2023-04-04
CVE-2023-27492 Envoy may crash when a large request body is processed in Lua filter CWE-770 4.8 Medium2023-04-04
CVE-2023-27491 Envoy forwards invalid Http2/Http3 downstream headers CWE-20 5.4 Medium2023-04-04
CVE-2023-27488 Envoy gRPC client produces invalid protobuf when an HTTP header with non-UTF8 value is received. CWE-20 5.4 Medium2023-04-04
CVE-2023-27487 Envoy client may fake the header `x-envoy-original-path` CWE-20 8.2 High2023-04-04
CVE-2022-29227 Use after free in Envoy CWE-416 7.5 High2022-06-09
CVE-2022-29226 Trivial authentication bypass in Envoy CWE-306 10.0 Critical2022-06-09
CVE-2022-29228 Reachable assertion in Envoy CWE-617 7.5 High2022-06-09
CVE-2022-29225 Zip bomb vulnerability in Envoy CWE-400 7.5 High2022-06-09

All 77 known CVE vulnerabilities affecting Envoy with full Chinese analysis, references, and POCs where available.