CVE-2025-30157

Summary

Envoy is a cloud-native high-performance edge/middle/service proxy. Prior to 1.33.1, 1.32.4, 1.31.6, and 1.30.10, Envoy's ext_proc HTTP filter is at risk of crashing if a local reply is sent to the external server due to the filter's life time issue. A known situation is the failure of a websocket handshake will trigger a local reply leading to the crash of Envoy. This vulnerability is fixed in 1.33.1, 1.32.4, 1.31.6, and 1.30.10.

Affected Software

VendorProductVersion RangeStatus
envoyproxyenvoy>= 1.33.0, < 1.33.1affected
envoyproxyenvoy>= 1.32.0, < 1.32.4affected
envoyproxyenvoy>= 1.31.0, < 1.31.6affected
envoyproxyenvoy< 1.30.10affected

Weaknesses

  • CWE-460: CWE-460: Improper Cleanup on Thrown Exception

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

Additional References

References