ghsa-cf3q-gqg7-3fm9
Vulnerability from github
Published
2025-03-21 15:23
Modified
2025-03-21 15:43
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Summary
Envoy crashes when HTTP ext_proc processes local replies
Details

Summary

Envoy's ext_proc HTTP filter is at risk of crashing if a local reply is sent to the external server due to the filter's life time issue. A known situation is the fail of a websocket handshake will trigger a local reply leading to the crash of Envoy.

PoC

If both websocket and ext_proc are enabled, a failed handshake will trigger a local reply, thus ext_proc will crash.

Mitigation

  1. Disable websocket traffic
  2. Change the websocket response from backend to always return 101 Switch protocol based on RFC.
  3. Apply the patch and the ext_proc filter will not send the local reply that is generated by Envoy to the ext_proc server for processing.
  4. Apply the patch that the router will cancel the upstream requests when sending a local reply.

Impact

Denial of service

Reporter

Vasilios Syrakis Fernando Cainelli

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/envoyproxy/envoy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.30.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/envoyproxy/envoy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.31.0"
            },
            {
              "fixed": "1.31.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/envoyproxy/envoy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.32.0"
            },
            {
              "fixed": "1.32.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/envoyproxy/envoy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.33.0"
            },
            {
              "fixed": "1.33.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-30157"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-460"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-21T15:23:50Z",
    "nvd_published_at": "2025-03-21T15:15:43Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nEnvoy\u0027s ext_proc HTTP filter is at risk of crashing if a local reply is sent to the external server due to the filter\u0027s life time issue. A known situation is the fail of a websocket handshake will trigger a local reply leading to the crash of Envoy.\n\n### PoC\nIf both websocket and ext_proc are enabled, a failed handshake will trigger a local reply, thus ext_proc will crash.\n\n### Mitigation\n1. Disable websocket traffic\n2. Change the websocket response from backend to always return `101 Switch protocol` based on RFC.\n3. Apply the patch and the ext_proc filter will not send the local reply that is generated by Envoy to the ext_proc server for processing.\n4. Apply the patch that the router will cancel the upstream requests when sending a local reply.\n\n### Impact\nDenial of service\n\n### Reporter\nVasilios Syrakis\nFernando Cainelli",
  "id": "GHSA-cf3q-gqg7-3fm9",
  "modified": "2025-03-21T15:43:00Z",
  "published": "2025-03-21T15:23:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-cf3q-gqg7-3fm9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30157"
    },
    {
      "type": "WEB",
      "url": "https://github.com/envoyproxy/envoy/commit/8eda1b8ef5ba8663d16a737ab99458c039a9b53c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/envoyproxy/envoy"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Envoy crashes when HTTP ext_proc processes local replies"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.