CVE-2025-62504

HIGH EPSS 30.2%
Published Oct 16, 20258mo ago · Modified Jun 17, 20261w ago
7.5 CVSS 3.1
High
Find Similar
Published Oct 16, 2025 8mo ago
Last Modified Jun 17, 2026 1w ago

Description

Envoy is an open source edge and service proxy. Envoy versions earlier than 1.36.2, 1.35.6, 1.34.10, and 1.33.12 contain a use-after-free vulnerability in the Lua filter. When a Lua script executing in the response phase rewrites a response body so that its size exceeds the configured per_connection_buffer_limit_bytes (default 1MB), Envoy generates a local reply whose headers override the original response headers, leaving dangling references and causing a crash. This results in denial of service. Updating to versions 1.36.2, 1.35.6, 1.34.10, or 1.33.12 fixes the issue. Increasing per_connection_buffer_limit_bytes (and for HTTP/2 the initial_stream_window_size) or increasing per_request_buffer_limit_bytes / request_body_buffer_limit can reduce the likelihood of triggering the condition but does not correct the underlying memory safety flaw.

CVSS Details

Base Score
7.5
Exploitability
3.9
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
30.2% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-416 Use After Free Memory Safety

Affected Products 4

VendorProductVersionRange
envoyproxyenvoy* <1.33.12
envoyproxyenvoy*≥1.34.0  –  <1.34.10
envoyproxyenvoy*≥1.35.0  –  <1.35.6
envoyproxyenvoy*≥1.36.0  –  <1.36.2

References 1

  • github.com https://github.com/envoyproxy/envoy/security/advisories/GHSA-gcxr-6vrp-wff3
    Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.