CVE-2025-30157: Envoy ext_proc HTTP Filter Local Reply Leads to Envoy Crash

Envoy is a popular open-source, cloud-native high-performance edge/middle/service proxy designed for modern application architectures. It provides several advanced features, such as load balancing, service discovery, circuit breaking, rate limiting, and more. You can find more information about Envoy on their official website.

Vulnerability Details

Recently, a vulnerability (CVE-2025-30157) was discovered affecting Envoy's ext_proc HTTP filter. Under certain conditions, this vulnerability may cause Envoy to crash. This issue affects Envoy versions prior to 1.33.1, 1.32.4, 1.31.6, and 1.30.10.

The problem lies in the ext_proc HTTP filter's life time issue. The filter is at risk of crashing if a local reply is sent to the external server. A known situation that can trigger this vulnerability is the failure of a WebSocket handshake, leading to Envoy's crash.

This vulnerability has been fixed in Envoy versions 1.33.1, 1.32.4, 1.31.6, and 1.30.10. It is highly recommended to update your Envoy deployment to these versions or newer to avoid exposure to this issue.

Code Snippet

Below is a code snippet demonstrating the affected area within the Envoy ext_proc HTTP filter's source code:

// envoy source code
...
// vulnerable location in the ext_proc HTTP filter
void HttpFilter::sendLocalReply(Code response_code, absl::string_view response_details) {
  // This function sends a local reply back to the external server
  // If a local reply is sent to an external server, the Envoy instance may crash
  ...
}
...

Exploitability

While there are no public exploits available at the moment, attackers with knowledge of this vulnerability could potentially craft an exploit that triggers a WebSocket handshake failure or another scenario that sends a local reply to the external server, causing the Envoy instance to crash.

Such an attack would impact the availability of the affected service, leading to potential denial-of-service (DoS) conditions.

To protect your Envoy deployment from this vulnerability, make sure to do the following

1. Update Envoy to version 1.33.1, 1.32.4, 1.31.6, or 1.30.10 or newer. You can find the latest version and upgrade instructions on the Envoy GitHub repository.
2. Ensure that your infrastructure and security policies are up to date and that you are monitoring for any potential attacks or anomalies in your environment.

For more details about the vulnerability and its fix, you can check out the following resources

- Envoy GitHub Repository - Vulnerability Fix Commit
- Envoy Security Advisory

Conclusion

Vulnerability CVE-2025-30157 in Envoy's ext_proc HTTP filter could potentially lead to a crash of the Envoy instance under specific conditions. Updating your Envoy deployment to version 1.33.1, 1.32.4, 1.31.6, or 1.30.10 or newer will ensure that you are protected against this issue. Don't delay in taking the necessary steps to secure your environment and maintain the availability of your services.

Timeline

Published on: 03/21/2025 15:15:43 UTC
Last modified on: 04/01/2025 20:22:34 UTC