GHSA-rj35-4m94-77jh

Source

https://github.com/advisories/GHSA-rj35-4m94-77jh

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-rj35-4m94-77jh/GHSA-rj35-4m94-77jh.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-rj35-4m94-77jh

Aliases

Published

2025-12-05T18:12:51Z

Modified

2025-12-10T20:19:27.162055Z

Severity

3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Envoy forwards early CONNECT data in TCP proxy mode

Details

Summary

Forwarding of early CONNECT data in TCP proxy mode.

Details

Per RFC 7231-4.3.6 the sender of CONNECT (and all inbound proxies) switch to tunnel mode only after receiving 2xx response. However in TCP proxy mode, Envoy accepts client data before it has issued a 2xx response and eagerly proxies it to an established TCP connection. This creates possibility of a de-synchronized tunnel state if a proxy upstream from Envoy responds with a status other an 2xx.

The RFC does not specify the behavior in case an early CONNECT data is received and early CONNECT data is common as a latency reduction mechanism. To prevent disruption to existing deployments Envoy will by default allow early CONNECT data. Setting the envoy.reloadable_features.reject_early_connect_data runtime flag to true will cause CONNECT requests that send data before 2xx response to be rejected. This options should be enabled if there are intermediaries upstream from Envoy that may reject establishment of a CONNECT tunnel.

Impact

De-synchronization of CONNECT tunnel state if a forwarding proxy upstream from Envoy responds with a non 2xx status.

Attack vector(s)

Sending data for a CONNECT request before receiving 2xx response.

Patches

Users should upgrade to v1.36.3, v1.35.7, v1.34.11 or v1.33.13

Credits

chasingimpact (Patrick)

Database specific

{
    "cwe_ids": [
        "CWE-693"
    ],
    "github_reviewed_at": "2025-12-05T18:12:51Z",
    "severity": "LOW",
    "nvd_published_at": "2025-12-03T18:15:47Z",
    "github_reviewed": true
}

References

Affected packages

Go

github.com/envoyproxy/envoy

Package

Name: github.com/envoyproxy/envoy; View open source insights on deps.dev
Purl: pkg:golang/github.com/envoyproxy/envoy

Affected ranges

Type: SEMVER
Events: Introduced

1.36.0

Fixed

1.36.3

Database specific

last_known_affected_version_range

"<= 1.36.2"

github.com/envoyproxy/envoy

Package

Name: github.com/envoyproxy/envoy; View open source insights on deps.dev
Purl: pkg:golang/github.com/envoyproxy/envoy

Affected ranges

Type: SEMVER
Events: Introduced

1.35.0

Fixed

1.35.7

Database specific

last_known_affected_version_range

"<= 1.35.6"

github.com/envoyproxy/envoy

Package

Name: github.com/envoyproxy/envoy; View open source insights on deps.dev
Purl: pkg:golang/github.com/envoyproxy/envoy

Affected ranges

Type: SEMVER
Events: Introduced

1.34.0

Fixed

1.34.11

Database specific

last_known_affected_version_range

"<= 1.34.10"

github.com/envoyproxy/envoy

Package

Name: github.com/envoyproxy/envoy; View open source insights on deps.dev
Purl: pkg:golang/github.com/envoyproxy/envoy

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.33.13

Database specific

last_known_affected_version_range

"<= 1.33.12"