Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

Envoy — Vulnerabilities & Security Advisories 92

All 92 CVE vulnerabilities found in Envoy, with AI-generated Chinese analysis, references, and POCs.

This page documents vulnerability aggregations for the Envoy proxy platform, specifically focusing on Common Weakness Enumeration classifications and associated security tags. It compiles a comprehensive collection of identified security flaws affecting the product, covering historical data from its initial releases through to the most recent patches released in the current year. Visitors to this resource can effectively track vendor security advisories to stay informed about critical updates, gain a deeper understanding of specific weakness classes prevalent in the codebase, and look up the product’s complete vulnerability history to assess long-term risk trends. The data includes various types of issues ranging from memory safety errors to configuration vulnerabilities that may impact service availability or confidentiality. By centralizing these findings, the page serves as a reference for security professionals and developers seeking to understand the threat landscape surrounding the Envoy service mesh component. Users can correlate reported weaknesses with specific versions and understand the remediation efforts applied by the maintainers over time. This structured approach allows for better risk assessment and prioritization of security hygiene tasks within infrastructure managed by this popular open-source proxy. The aggregation ensures that stakeholders have a clear view of the security posture without needing to search through disparate sources.

Vendor: envoyproxy

CVE IDTitleCVSSSeverityPublished
CVE-2024-53271 HTTP/1.1 multiple issues with envoy.reloadable_features.http1_balsa_delay_reset in envoy CWE-670 7.1 High2024-12-18
CVE-2024-53270 HTTP/1: sending overload crashes when the request is reset beforehand in envoy CWE-670 7.5 High2024-12-18
CVE-2024-53269 Happy Eyeballs: Validate that additional_address are IP addresses instead of crashing when sorting in envoy CWE-670 4.5 Medium2024-12-18
CVE-2024-45806 Potential manipulate `x-envoy` headers from external sources in envoy CWE-639 6.5 Medium2024-09-19
CVE-2024-45807 oghttp2 crash on OnBeginHeadersForStream in envoy CWE-670 7.5 High2024-09-19
CVE-2024-45808 Malicious log injection via access logs in envoy CWE-117 6.5 Medium2024-09-19
CVE-2024-45809 Jwt filter crash in the clear route cache with remote JWKs in envoy CWE-119 5.3 Medium2024-09-19
CVE-2024-45810 Envoy crashes for LocalReply in http async client CWE-119 6.5 Medium2024-09-19
CVE-2024-21879 URL parameter manipulations allows an authenticated attacker to execute arbitrary OS commands in Enphase IQ Gateway v4.x to v8.x and < v8.2.4225 CWE-77 8.8AIHighAI2024-08-10
CVE-2024-21877 Insecure File Generation Based on User Input in Enphase IQ Gateway version 4.x to 8.x and < 8.2.4225 CWE-22 8.1AIHighAI2024-08-10
CVE-2024-21878 Command Injection through Unsafe File Name Evaluation in internal script in Enphase IQ Gateway v4.x to and including 8.x CWE-77 8.8AIHighAI2024-08-10
CVE-2024-21880 URL parameter manipulations allows an authenticated attacker to execute arbitrary OS commands in Enphase IQ Gateway version 4.x <= 7.x CWE-77 8.8AIHighAI2024-08-10
CVE-2024-21881 Upload of encrypted packages allows authenticated command execution in Enphase IQ Gateway v4.x and v5.x CWE-326 8.8AIHighAI2024-08-10
CVE-2024-39305 Envoy Proxy use after free when route hash policy is configured with cookie attributes CWE-416 6.5 Medium2024-07-01
CVE-2024-32974 Envoy affected by a crash in EnvoyQuicServerStream::OnInitialHeadersComplete() CWE-416 5.9 Medium2024-06-04
CVE-2024-32975 Envoy crashes in QuicheDataReader::PeekVarInt62Length() CWE-191 5.9 Medium2024-06-04
CVE-2024-32976 Envoy can enter an endless loop while decompressing Brotli data with extra input CWE-835 7.5 High2024-06-04
CVE-2024-34362 Envoy affected by a crash (use-after-free) in EnvoyQuicServerStream CWE-416 5.9 Medium2024-06-04
CVE-2024-34363 Envoy can crash due to uncaught nlohmann JSON exception CWE-248 7.5 High2024-06-04
CVE-2024-34364 Envoy OOM vector from HTTP async client with unbounded response buffer for mirror response CWE-400 5.7 Medium2024-06-04
CVE-2024-23326 Envoy incorrectly accepts HTTP 200 response for entering upgrade mode CWE-391 5.9 Medium2024-06-04
CVE-2024-32475 Envoy RELEASE_ASSERT using auto_sni with :authority header > 255 bytes CWE-253 7.5 High2024-04-18
CVE-2024-30255 HTTP/2: CPU exhaustion due to CONTINUATION frame flood CWE-390 5.3 Medium2024-04-04
CVE-2024-27919 HTTP/2: memory exhaustion due to CONTINUATION frame flood CWE-390 7.5 High2024-04-04
CVE-2024-23322 Envoy crashes when idle and request per try timeout occur within the backoff interval CWE-416 7.5 High2024-02-09
CVE-2024-23323 Excessive CPU usage when URI template matcher is configured using regex in Envoy CWE-400 4.3 Medium2024-02-09
CVE-2024-23324 Envoy ext auth can be bypassed when Proxy protocol filter sets invalid UTF-8 metadata CWE-20 8.6 High2024-02-09
CVE-2024-23325 Envoy crashes when using an address type that isn’t supported by the OS CWE-755 7.5 High2024-02-09
CVE-2024-23327 Crash in proxy protocol when command type of LOCAL in Envoy CWE-476 7.5 High2024-02-09
CVE-2023-35944 Envoy vulnerable to incorrect handling of HTTP requests and responses with mixed case schemes CWE-20 8.2 High2023-07-25

All 92 known CVE vulnerabilities affecting Envoy with full Chinese analysis, references, and POCs where available.