Security: envoyproxy/envoy
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
Denial-of-Service Attack Against the HTTP/3 Stack via QPACK Blocked DecodingGHSA-p7c7-7c47-pwch published
Jun 23, 2026 by phlaxHigh -
Envoy Heap Buffer Overflow in TcpStatsdSinkGHSA-7q3f-gwg7-j8g4 published
Jun 23, 2026 by nezdolikModerate -
Embedded NUL in TLS DNS SAN Truncation in the Default TLS Certificate Validator. (Auth Bypass)GHSA-f8x4-rw5x-f3r7 published
Jun 23, 2026 by nezdolikModerate -
HTTP: OAuth2 filter late async token completion after stream teardown (UAF / crash risk)GHSA-3cj2-c63f-q26f published
Jun 23, 2026 by nezdolikModerate -
ext_authz Use-After-Free during Stream Teardown with Per-Route OverridesGHSA-mvh9-767w-x47j published
Jun 23, 2026 by nezdolikModerate -
Envoy: grpc_stats filter segfault on Connect protocol requests to direct_response routesGHSA-3jxh-8p6x-7pf6 published
Jun 23, 2026 by nezdolikModerate -
HTTP/3 to HTTP/1 request smuggling via headers-only request with nonzero Content-LengthGHSA-8phg-2h2q-jgxf published
Jun 23, 2026 by nezdolikHigh -
Stack overflow in destructor of highly nested JSONGHSA-f24p-rxw2-g6pv published
Jun 23, 2026 by nezdolikHigh -
Zstd Decompressor: Ratio Check at Wrong Loop Depth lead to memory explosionGHSA-m3p9-47wh-88wg published
Jun 23, 2026 by nezdolikHigh -
PROXY Protocol v2 header generator emits "skipped" TLVs, causing 65 KB attacker-controlled spillover into the upstream application streamGHSA-wh36-hm39-mm3r published
Jun 23, 2026 by nezdolikModerate