GHSA-CF3Q-GQG7-3FM9

Vulnerability from github – Published: 2025-03-21 15:23 – Updated: 2025-03-21 15:43
VLAI?
Summary
Envoy crashes when HTTP ext_proc processes local replies
Details

Summary

Envoy's ext_proc HTTP filter is at risk of crashing if a local reply is sent to the external server due to the filter's life time issue. A known situation is the fail of a websocket handshake will trigger a local reply leading to the crash of Envoy.

PoC

If both websocket and ext_proc are enabled, a failed handshake will trigger a local reply, thus ext_proc will crash.

Mitigation

  1. Disable websocket traffic
  2. Change the websocket response from backend to always return 101 Switch protocol based on RFC.
  3. Apply the patch and the ext_proc filter will not send the local reply that is generated by Envoy to the ext_proc server for processing.
  4. Apply the patch that the router will cancel the upstream requests when sending a local reply.

Impact

Denial of service

Reporter

Vasilios Syrakis Fernando Cainelli

Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/envoyproxy/envoy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.30.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/envoyproxy/envoy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.31.0"
            },
            {
              "fixed": "1.31.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/envoyproxy/envoy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.32.0"
            },
            {
              "fixed": "1.32.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/envoyproxy/envoy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.33.0"
            },
            {
              "fixed": "1.33.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-30157"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-460"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-21T15:23:50Z",
    "nvd_published_at": "2025-03-21T15:15:43Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nEnvoy\u0027s ext_proc HTTP filter is at risk of crashing if a local reply is sent to the external server due to the filter\u0027s life time issue. A known situation is the fail of a websocket handshake will trigger a local reply leading to the crash of Envoy.\n\n### PoC\nIf both websocket and ext_proc are enabled, a failed handshake will trigger a local reply, thus ext_proc will crash.\n\n### Mitigation\n1. Disable websocket traffic\n2. Change the websocket response from backend to always return `101 Switch protocol` based on RFC.\n3. Apply the patch and the ext_proc filter will not send the local reply that is generated by Envoy to the ext_proc server for processing.\n4. Apply the patch that the router will cancel the upstream requests when sending a local reply.\n\n### Impact\nDenial of service\n\n### Reporter\nVasilios Syrakis\nFernando Cainelli",
  "id": "GHSA-cf3q-gqg7-3fm9",
  "modified": "2025-03-21T15:43:00Z",
  "published": "2025-03-21T15:23:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-cf3q-gqg7-3fm9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30157"
    },
    {
      "type": "WEB",
      "url": "https://github.com/envoyproxy/envoy/commit/8eda1b8ef5ba8663d16a737ab99458c039a9b53c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/envoyproxy/envoy"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Envoy crashes when HTTP ext_proc processes local replies"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.