Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

envoyproxy — Vulnerabilities & Security Advisories 73

Browse all 73 CVE security advisories affecting envoyproxy. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Envoyproxy serves as a high-performance, open-source edge and service proxy, primarily deployed in cloud-native environments to manage ingress and egress traffic. Despite its architectural robustness, the project has accumulated 73 recorded Common Vulnerabilities and Exposures, reflecting the complexity of its extensive feature set. Historically, these security flaws predominantly involve memory corruption issues, such as buffer overflows and use-after-free errors, which can lead to remote code execution or denial-of-service conditions. While cross-site scripting and privilege escalation are less frequent, configuration errors and parsing vulnerabilities remain significant risks. Notable incidents often stem from improper input validation in HTTP/2 or gRPC handling, allowing attackers to crash proxies or bypass access controls. Continuous patching and strict configuration management are essential for maintaining the integrity of deployments relying on this critical infrastructure component.

Top products by envoyproxy: envoy gateway
CVE IDTitleCVSSSeverityPublished
CVE-2024-34363 Envoy can crash due to uncaught nlohmann JSON exception — envoyCWE-248 7.5 High2024-06-04
CVE-2024-34364 Envoy OOM vector from HTTP async client with unbounded response buffer for mirror response — envoyCWE-400 5.7 Medium2024-06-04
CVE-2024-23326 Envoy incorrectly accepts HTTP 200 response for entering upgrade mode — envoyCWE-391 5.9 Medium2024-06-04
CVE-2024-32475 Envoy RELEASE_ASSERT using auto_sni with :authority header > 255 bytes — envoyCWE-253 7.5 High2024-04-18
CVE-2024-30255 HTTP/2: CPU exhaustion due to CONTINUATION frame flood — envoyCWE-390 5.3 Medium2024-04-04
CVE-2024-27919 HTTP/2: memory exhaustion due to CONTINUATION frame flood — envoyCWE-390 7.5 High2024-04-04
CVE-2024-23322 Envoy crashes when idle and request per try timeout occur within the backoff interval — envoyCWE-416 7.5 High2024-02-09
CVE-2024-23323 Excessive CPU usage when URI template matcher is configured using regex in Envoy — envoyCWE-400 4.3 Medium2024-02-09
CVE-2024-23324 Envoy ext auth can be bypassed when Proxy protocol filter sets invalid UTF-8 metadata — envoyCWE-20 8.6 High2024-02-09
CVE-2024-23325 Envoy crashes when using an address type that isn’t supported by the OS — envoyCWE-755 7.5 High2024-02-09
CVE-2024-23327 Crash in proxy protocol when command type of LOCAL in Envoy — envoyCWE-476 7.5 High2024-02-09
CVE-2023-35944 Envoy vulnerable to incorrect handling of HTTP requests and responses with mixed case schemes — envoyCWE-20 8.2 High2023-07-25
CVE-2023-35943 Envoy vulnerable to CORS filter segfault when origin header is removed — envoyCWE-416 6.3 Medium2023-07-25
CVE-2023-35942 Envoy's gRPC access log crash caused by the listener draining — envoyCWE-416 6.5 Medium2023-07-25
CVE-2023-35941 Envoy vulnerable to OAuth2 credentials exploit with permanent validity — envoyCWE-116 8.6 High2023-07-25
CVE-2023-35945 Envoy vulnerable to HTTP/2 memory leak in nghttp2 codec — envoyCWE-400 7.5 High2023-07-13
CVE-2023-27496 Envoy may crash when a redirect url without a state param is received in the oauth filter — envoyCWE-20 6.5 Medium2023-04-04
CVE-2023-27493 Envoy doesn't escape HTTP header values — envoyCWE-20 8.1 High2023-04-04
CVE-2023-27492 Envoy may crash when a large request body is processed in Lua filter — envoyCWE-770 4.8 Medium2023-04-04
CVE-2023-27491 Envoy forwards invalid Http2/Http3 downstream headers — envoyCWE-20 5.4 Medium2023-04-04
CVE-2023-27488 Envoy gRPC client produces invalid protobuf when an HTTP header with non-UTF8 value is received. — envoyCWE-20 5.4 Medium2023-04-04
CVE-2023-27487 Envoy client may fake the header `x-envoy-original-path` — envoyCWE-20 8.2 High2023-04-04
CVE-2022-29227 Use after free in Envoy — envoyCWE-416 7.5 High2022-06-09
CVE-2022-29226 Trivial authentication bypass in Envoy — envoyCWE-306 10.0 Critical2022-06-09
CVE-2022-29228 Reachable assertion in Envoy — envoyCWE-617 7.5 High2022-06-09
CVE-2022-29225 Zip bomb vulnerability in Envoy — envoyCWE-400 7.5 High2022-06-09
CVE-2022-29224 Segmentation fault leading to crash in Envoy — envoyCWE-476 5.9 Medium2022-06-09
CVE-2021-43826 Crash when tunneling TCP over HTTP in Envoy — envoyCWE-416 7.5 High2022-02-22
CVE-2021-43825 Use-after-free in Envoy — envoyCWE-416 6.1 Medium2022-02-22
CVE-2022-21655 Incorrect handling of internal redirects results in crash in Envoy — envoyCWE-670 7.5 High2022-02-22

This page lists every published CVE security advisory associated with envoyproxy. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.