CVE-2025-62409

EUVD-2025-34820

16.10.2025, 18:15

Envoy is a cloud-native, open source edge and service proxy. Prior to 1.36.1, 1.35.5, 1.34.9, and 1.33.10, large requests and responses can potentially trigger TCP connection pool crashes due to flow control management in Envoy. It will happen when the connection is closing but upstream data is still coming, resulting in a buffer watermark callback nullptr reference. The vulnerability impacts TCP proxy and HTTP 1 & 2 mixed use cases based on ALPN. This vulnerability is fixed in 1.36.1, 1.35.5, 1.34.9, and 1.33.10.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 2%

Affected Products (NVD)

Vendor	Product	Version
envoyproxy	envoy	𝑥 < 1.33.11
envoyproxy	envoy	1.34.0 ≤ 𝑥 < 1.34.9
envoyproxy	envoy	1.35.0 ≤ 𝑥 < 1.35.5
envoyproxy	envoy	1.36.0

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-476 - NULL Pointer Dereference
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

References

https://github.com/envoyproxy/envoy/security/advisories/GHSA-pq33-4jxh-hgm3