CVE-2025-64763

MEDIUM EPSS 18.9%
Published Dec 3, 20256mo ago · Modified Jun 17, 20261w ago
5.3 CVSS 3.1
Medium
Find Similar
Published Dec 3, 2025 6mo ago
Last Modified Jun 17, 2026 1w ago

Description

Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, when Envoy is configured in TCP proxy mode to handle CONNECT requests, it accepts client data before issuing a 2xx response and forwards that data to the upstream TCP connection. If a forwarding proxy upstream from Envoy then responds with a non-2xx status, this can cause a de-synchronized CONNECT tunnel state. By default Envoy continues to allow early CONNECT data to avoid disrupting existing deployments. The envoy.reloadable_features.reject_early_connect_data runtime flag can be set to reject CONNECT requests that send data before a 2xx response when intermediaries upstream from Envoy may reject establishment of a CONNECT tunnel.

CVSS Details

Base Score
5.3
Exploitability
3.9
Impact
1.4
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity None
Availability None

Threat Intelligence

EPSS Exploit Probability
18.9% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-693

Affected Products 4

VendorProductVersionRange
envoyproxyenvoy* <1.33.13
envoyproxyenvoy*≥1.34.0  –  <1.34.11
envoyproxyenvoy*≥1.35.0  –  <1.35.7
envoyproxyenvoy*≥1.36.0  –  <1.36.3

References 1

  • github.com https://github.com/envoyproxy/envoy/security/advisories/GHSA-rj35-4m94-77jh
    PatchVendor Advisory

Remediation

  • github.com https://github.com/envoyproxy/envoy/security/advisories/GHSA-rj35-4m94-77jh
    PatchVendor Advisory