CVE-2025-64763

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-64763

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-64763.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-64763

Aliases

Published

2025-12-03T18:13:58.496Z

Modified

2025-12-07T10:08:24.559489Z

Severity

3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Envoy forwards early CONNECT data in TCP proxy mode

Details

Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, when Envoy is configured in TCP proxy mode to handle CONNECT requests, it accepts client data before issuing a 2xx response and forwards that data to the upstream TCP connection. If a forwarding proxy upstream from Envoy then responds with a non-2xx status, this can cause a de-synchronized CONNECT tunnel state. By default Envoy continues to allow early CONNECT data to avoid disrupting existing deployments. The envoy.reloadablefeatures.rejectearlyconnectdata runtime flag can be set to reject CONNECT requests that send data before a 2xx response when intermediaries upstream from Envoy may reject establishment of a CONNECT tunnel.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/64xxx/CVE-2025-64763.json",
    "cwe_ids": [
        "CWE-693"
    ]
}

References

Affected packages

Git / github.com/envoyproxy/envoy

Affected ranges

Type

GIT

Repo

https://github.com/envoyproxy/envoy

Events

Introduced

63ee0dc79dce88117c6bd2df5a742f8eb67ea980

Last affected

dc2d3098ae5641555f15c71d5bb5ce0060a8015c

Database specific

{
    "versions": [
        {
            "introduced": "1.36.0"
        },
        {
            "last_affected": "1.36.2"
        }
    ]
}

Type

GIT

Repo

https://github.com/envoyproxy/envoy

Events

Introduced

84305a6cb64bd55aaf606bdd53de7cd6080427a1

Last affected

0d240c4b0f5b5db91ef14b1bf424520144b1a75d

Database specific

{
    "versions": [
        {
            "introduced": "1.35.0"
        },
        {
            "last_affected": "1.35.6"
        }
    ]
}

Type

GIT

Repo

https://github.com/envoyproxy/envoy

Events

Introduced

d7809ba2b07fd869d49bfb122b27f6a7977b4d94

Last affected

40ab4828a48f05103573ddee3c807dfa0e3e23f7

Database specific

{
    "versions": [
        {
            "introduced": "1.34.0"
        },
        {
            "last_affected": "1.34.10"
        }
    ]
}

Type

GIT

Repo

https://github.com/envoyproxy/envoy

Events

Introduced

Last affected

d602fb5d4af3ef3740621590e59187233398e0c0

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.33.12"
        }
    ]
}

Affected versions

v1.*

v1.0.0

v1.1.0

v1.10.0

v1.11.0

v1.12.0

v1.13.0

v1.14.0

v1.15.0

v1.16.0

v1.17.0

v1.18.0

v1.18.1

v1.18.2

v1.19.0

v1.2.0

v1.20.0

v1.21.0

v1.22.0

v1.23.0

v1.24.0

v1.25.0

v1.26.0

v1.27.0

v1.28.0

v1.29.0

v1.3.0

v1.30.0

v1.31.0

v1.32.0

v1.33.0

v1.33.1

v1.33.10

v1.33.11

v1.33.12

v1.33.2

v1.33.3

v1.33.4

v1.33.5

v1.33.6

v1.33.7

v1.33.8

v1.33.9

v1.34.0

v1.34.1

v1.34.10

v1.34.2

v1.34.3

v1.34.4

v1.34.5

v1.34.6

v1.34.7

v1.34.8

v1.34.9

v1.35.0

v1.35.1

v1.35.2

v1.35.3

v1.35.4

v1.35.5

v1.35.6

v1.36.0

v1.36.1

v1.36.2

v1.4.0

v1.5.0

v1.6.0

v1.7.0

v1.8.0

v1.9.0