Envoy, a widely used edge and service proxy, is vulnerable to a denial of service (DoS) attack due to a flaw in its `ext_proc` HTTP filter. This vulnerability, identified as CVE-2025-XXXX, affects multiple versions of Envoy. When the `ext_proc` filter processes a local reply, such as during a failed WebSocket handshake, it can cause the Envoy proxy to crash. This occurs because the filter fails to properly manage its lifecycle during local replies, leading to a null pointer dereference or similar memory corruption issue. The crash results in a complete denial of service, disrupting traffic routing and potentially impacting dependent services.
The vulnerability is triggered when both WebSocket and `ext_proc` features are enabled. A failed WebSocket handshake generates a local reply, which the `ext_proc` filter mishandles, causing Envoy to terminate unexpectedly. This issue is particularly critical in environments where Envoy is used as a critical infrastructure component, as it can lead to widespread service outages.
DailyCVE Form:
Platform: Envoy Proxy
Version: <1.30.10, 1.31.0-1.31.5, 1.32.0-1.32.3, 1.33.0
Vulnerability: Denial of Service
Severity: Critical
Date: March 21, 2025
What Undercode Say:
Exploitation:
- Trigger Condition: Enable WebSocket and `ext_proc` in Envoy configuration.
2. Exploit Code:
curl -i -H "Connection: Upgrade" -H "Upgrade: websocket" http://<envoy-ip>:<port>/ws
This simulates a WebSocket handshake failure, triggering the local reply.
3. Debugging:
envoy -c envoy.yaml --log-level debug
Monitor logs for crashes related to `ext_proc`.
Mitigation:
1. Update Envoy:
docker pull envoyproxy/envoy:v1.33.1
Replace with patched versions: 1.30.10, 1.31.6, 1.32.4, or 1.33.1.
2. Disable `ext_proc` (if not required):
http_filters: - name: envoy.filters.http.ext_proc disabled: true
3. WebSocket Handshake Validation:
websocket: enabled: true handshake_timeout: 5s
4. Monitoring:
kubectl logs -l app=envoy -n <namespace> --tail=50
Regularly check for crashes or unusual behavior.
5. Rate Limiting:
rate_limits:
- actions:
- remote_address: {}
Prevent abuse of WebSocket handshakes.
6. Automated Patching:
helm upgrade envoy envoy/envoy --version 1.33.1
Use Helm for Kubernetes deployments.
7. Fallback Mechanism:
circuit_breakers: thresholds: max_connections: 1000
Limit the impact of DoS attacks.
8. Security Audits:
envoy --mode validate -c envoy.yaml
Validate configurations before deployment.
9. Incident Response:
systemctl restart envoy
Restart Envoy if crashes occur.
10. Community Reporting:
Report issues to the Envoy GitHub repository for timely fixes.
References:
Reported By: https://github.com/advisories/GHSA-cf3q-gqg7-3fm9
Extra Source Hub:
Undercode
