CVE-2025-62504
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-16

Last updated on: 2025-10-29

Assigner: GitHub, Inc.

Description
Envoy is an open source edge and service proxy. Envoy versions earlier than 1.36.2, 1.35.6, 1.34.10, and 1.33.12 contain a use-after-free vulnerability in the Lua filter. When a Lua script executing in the response phase rewrites a response body so that its size exceeds the configured per_connection_buffer_limit_bytes (default 1MB), Envoy generates a local reply whose headers override the original response headers, leaving dangling references and causing a crash. This results in denial of service. Updating to versions 1.36.2, 1.35.6, 1.34.10, or 1.33.12 fixes the issue. Increasing per_connection_buffer_limit_bytes (and for HTTP/2 the initial_stream_window_size) or increasing per_request_buffer_limit_bytes / request_body_buffer_limit can reduce the likelihood of triggering the condition but does not correct the underlying memory safety flaw.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-16
Last Modified
2025-10-29
Generated
2026-05-07
AI Q&A
2025-10-17
EPSS Evaluated
2026-05-05
NVD
CVE-2025-62504
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
envoyproxy envoy to 1.33.12 (exc)
envoyproxy envoy From 1.34.0 (inc) to 1.34.10 (exc)
envoyproxy envoy From 1.35.0 (inc) to 1.35.6 (exc)
envoyproxy envoy From 1.36.0 (inc) to 1.36.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a use-after-free flaw in the Lua filter of Envoy proxy versions earlier than 1.36.2, 1.35.6, 1.34.10, and 1.33.12. When a Lua script modifies a response body during the response phase so that its size exceeds a configured buffer limit (default 1MB), Envoy generates a local reply that overrides the original response headers but leaves dangling references in memory. This causes Envoy to crash.


How can this vulnerability impact me? :

The vulnerability can cause Envoy to crash, resulting in a denial of service (DoS). This means that services relying on Envoy as a proxy could become unavailable or disrupted when the vulnerability is triggered.


What immediate steps should I take to mitigate this vulnerability?

Update Envoy to versions 1.36.2, 1.35.6, 1.34.10, or 1.33.12 to fix the use-after-free vulnerability. Alternatively, increasing per_connection_buffer_limit_bytes (and for HTTP/2 the initial_stream_window_size) or increasing per_request_buffer_limit_bytes / request_body_buffer_limit can reduce the likelihood of triggering the condition, but these do not fix the underlying memory safety flaw.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart