BIT-envoy-2025-64763
See a problem?- Import Source
- https://github.com/bitnami/vulndb/tree/main/data/envoy/BIT-envoy-2025-64763.json
- JSON Data
- https://api.osv.dev/v1/vulns/BIT-envoy-2025-64763
- Aliases
- Published
- 2025-12-06T11:38:19.488Z
- Modified
- 2025-12-09T12:19:46.740500Z
- Summary
- Envoy forwards early CONNECT data in TCP proxy mode
- Details
-
Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, when Envoy is configured in TCP proxy mode to handle CONNECT requests, it accepts client data before issuing a 2xx response and forwards that data to the upstream TCP connection. If a forwarding proxy upstream from Envoy then responds with a non-2xx status, this can cause a de-synchronized CONNECT tunnel state. By default Envoy continues to allow early CONNECT data to avoid disrupting existing deployments. The envoy.reloadablefeatures.rejectearlyconnectdata runtime flag can be set to reject CONNECT requests that send data before a 2xx response when intermediaries upstream from Envoy may reject establishment of a CONNECT tunnel.
- Database specific
{ "severity": "Medium", "cpes": [ "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:go:*:*" ] }- References
Affected packages
Bitnami / envoy
Package
- Name
- envoy
- Purl
- pkg:bitnami/envoy
Severity
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator