CVE-2025-64527
BaseFortify
Publication date: 2025-12-03
Last updated on: 2025-12-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| envoyproxy | envoy | to 1.33.13 (exc) |
| envoyproxy | envoy | From 1.34.0 (inc) to 1.34.11 (exc) |
| envoyproxy | envoy | From 1.35.0 (inc) to 1.35.7 (exc) |
| envoyproxy | envoy | From 1.36.0 (inc) to 1.36.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in Envoy proxy versions 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier when JWT authentication is configured with remote JWKS fetching and the allow_missing_or_failed option is enabled. If multiple JWT tokens are present in the request headers and the JWKS fetch fails, a re-entry bug in the JwksFetcherImpl causes Envoy to crash. Specifically, when the first token's JWKS fetch fails, the onJwksError() callback triggers processing of the second token, which calls fetch() again on the same fetcher object. The original callback's reset() then clears the second fetch's state, leading to a crash when the asynchronous HTTP response arrives.
How can this vulnerability impact me? :
This vulnerability can cause the Envoy proxy to crash when processing requests with multiple JWT tokens under certain conditions. This crash results in a denial of service (DoS) condition, potentially disrupting the availability of services relying on Envoy for authentication and proxying.