envoyproxy envoy Vulnerabilities: CVEs, CISA KEV & Security Advisories

This page aggregates every publicly disclosed vulnerability (CVE) affecting envoyproxy envoy, with a severity breakdown, the affected and patched versions, the most common weakness types, and the full CVE list.

Affected versions and CVEs

Browse every envoyproxy envoy version named in a CVE, then pick one to see only the CVEs that affect it.

Specific versions

v1.7.063 CVEs
v1.8.063 CVEs
v1.9.063 CVEs
v1.0.062 CVEs
v1.1.062 CVEs
v1.2.062 CVEs
v1.3.062 CVEs
v1.4.062 CVEs
v1.5.062 CVEs
v1.6.062 CVEs
v1.10.061 CVEs
v1.11.061 CVEs
v1.13.061 CVEs
v1.12.060 CVEs
v1.14.056 CVEs
v1.19.055 CVEs
v1.16.054 CVEs
v1.17.054 CVEs
v1.18.053 CVEs
v1.18.153 CVEs
v1.18.253 CVEs
v1.15.050 CVEs
v1.20.048 CVEs
v1.21.046 CVEs
v1.23.041 CVEs
v1.24.041 CVEs
v1.25.041 CVEs
v1.22.040 CVEs
v1.26.035 CVEs
v1.29.033 CVEs
v1.28.031 CVEs
v1.27.030 CVEs
v1.30.020 CVEs
v1.31.020 CVEs
v1.29.116 CVEs
v1.29.215 CVEs
v1.32.015 CVEs
v1.27.114 CVEs
v1.27.214 CVEs
v1.29.314 CVEs
v1.28.113 CVEs
v1.29.413 CVEs
v1.33.013 CVEs
v1.34.013 CVEs
v1.28.212 CVEs
v1.34.112 CVEs
v1.34.212 CVEs
v1.34.312 CVEs
v1.34.412 CVEs
v1.23.111 CVEs
v1.23.211 CVEs
v1.23.311 CVEs
v1.23.411 CVEs
v1.23.511 CVEs
v1.24.111 CVEs
v1.24.211 CVEs
v1.24.311 CVEs
v1.25.111 CVEs
v1.25.211 CVEs
v1.26.111 CVEs
v1.26.211 CVEs
v1.28.311 CVEs
v1.35.011 CVEs
v1.26.310 CVEs
v1.31.110 CVEs
v1.34.510 CVEs
v1.34.610 CVEs
v1.34.710 CVEs
v1.34.810 CVEs
v1.36.010 CVEs
v1.27.39 CVEs
v1.30.19 CVEs
v1.34.99 CVEs
v1.35.19 CVEs
v1.35.29 CVEs
v1.35.39 CVEs
v1.35.49 CVEs
v1.36.19 CVEs
v1.14.18 CVEs
v1.20.18 CVEs
v1.27.48 CVEs
v1.30.28 CVEs
v1.30.38 CVEs
v1.34.108 CVEs
v1.35.58 CVEs
v1.35.68 CVEs
v1.36.28 CVEs
>= 1.20.0, < 1.20.27 CVEs
>= 1.28.0, <= 1.28.37 CVEs
>= 1.29.0, <= 1.29.47 CVEs
v1.14.27 CVEs
v1.27.57 CVEs
v1.30.47 CVEs
v1.30.57 CVEs
v1.33.17 CVEs
v1.33.27 CVEs
< 1.22.96 CVEs
>= 1.19.0, < 1.19.36 CVEs
>= 1.21.0, < 1.21.16 CVEs
>= 1.23.0, < 1.23.66 CVEs
>= 1.24.0, < 1.24.46 CVEs
>= 1.30.0, <= 11.30.16 CVEs
v1.12.16 CVEs
v1.13.16 CVEs
v1.13.26 CVEs
v1.19.16 CVEs
v1.22.26 CVEs
v1.22.36 CVEs
v1.22.46 CVEs
v1.22.56 CVEs
v1.22.66 CVEs
v1.22.76 CVEs
v1.22.86 CVEs
v1.26.46 CVEs
v1.26.56 CVEs
v1.26.66 CVEs
v1.29.56 CVEs
v1.29.66 CVEs
v1.33.36 CVEs
v1.33.46 CVEs
v1.33.56 CVEs
v1.33.66 CVEs
< 1.18.65 CVEs
< 1.26.75 CVEs
< 1.34.135 CVEs
<= 1.27.55 CVEs
>= 1.18.0, < 1.18.45 CVEs
>= 1.19.0, < 1.19.15 CVEs
>= 1.27.0, < 1.27.35 CVEs
>= 1.28.0, < 1.28.15 CVEs
>= 1.29.0, < 1.29.15 CVEs
>= 1.35.0, < 1.35.95 CVEs
>= 1.36.0, < 1.36.55 CVEs
>= 1.37.0, < 1.37.15 CVEs
v1.23.105 CVEs
v1.23.65 CVEs
v1.23.75 CVEs
v1.23.85 CVEs
v1.23.95 CVEs
v1.24.45 CVEs
v1.24.55 CVEs
v1.24.65 CVEs
v1.24.75 CVEs
v1.24.85 CVEs
v1.25.35 CVEs
v1.25.45 CVEs
v1.25.55 CVEs
v1.25.65 CVEs
v1.25.75 CVEs
v1.29.75 CVEs
v1.29.85 CVEs
v1.31.25 CVEs
v1.31.35 CVEs
v1.32.15 CVEs
v1.33.75 CVEs
v1.33.85 CVEs
v1.33.95 CVEs
v1.34.115 CVEs
v1.34.125 CVEs
v1.35.75 CVEs
v1.35.85 CVEs
v1.36.35 CVEs
v1.36.45 CVEs
v1.37.05 CVEs
< 1.23.124 CVEs
>= 1.16.0, < 1.16.54 CVEs
>= 1.17.0, < 1.17.44 CVEs
>= 1.24.0, < 1.24.104 CVEs
>= 1.25.0, < 1.25.34 CVEs
>= 1.25.0, < 1.25.94 CVEs
>= 1.26.0, < 1.26.44 CVEs
>= 1.29.0, < 1.29.94 CVEs
>= 1.30.0, < 1.30.64 CVEs
>= 1.31.0, < 1.31.24 CVEs
v1.23.114 CVEs
v1.24.94 CVEs
v1.25.84 CVEs
v1.28.44 CVEs
v1.31.44 CVEs
v1.32.24 CVEs
v1.33.104 CVEs
v1.33.114 CVEs
< 1.28.73 CVEs
<= 1.33.123 CVEs
>= 1.34.0, <= 1.34.103 CVEs
>= 1.35.0, <= 1.35.63 CVEs
>= 1.36.0, <= 1.36.23 CVEs
v0.11.03 CVEs
v0.12.03 CVEs
v0.14.03 CVEs
v0.14.0-rc23 CVEs
v0.15.03 CVEs
v1.12.23 CVEs
v1.12.33 CVEs
v1.12.43 CVEs
v1.14.33 CVEs
v1.16.13 CVEs
v1.16.23 CVEs
v1.17.13 CVEs
v1.18.33 CVEs
v1.18.43 CVEs
v1.28.53 CVEs
v1.28.63 CVEs
v1.30.63 CVEs
v1.30.73 CVEs
v1.33.123 CVEs
>= 1.25.0, <1.25.32 CVEs
>= 1.31.0, < 1.31.52 CVEs
>= 1.32.0, < 1.32.32 CVEs
>= 1.34.0, < 1.34.52 CVEs
>= 1.35.0, < 1.35.12 CVEs
v0.0.12 CVEs
v0.0.22 CVEs
v0.0.32 CVEs
v0.0.42 CVEs
v0.0.52 CVEs
v0.1.02 CVEs
v0.10.02 CVEs
v0.10.0-rc12 CVEs
v0.10.0-rc22 CVEs
v0.10.0-rc32 CVEs
v0.11.0-rc12 CVEs
v0.11.0-rc22 CVEs
v0.2.02 CVEs
v0.3.02 CVEs
v0.4.02 CVEs
v0.5.02 CVEs
v0.6.02 CVEs
v0.7.02 CVEs
v0.7.12 CVEs
v0.7.22 CVEs
v0.8.02 CVEs
v0.9.02 CVEs
v1.13.32 CVEs
v1.30.82 CVEs
v1.31.52 CVEs
v1.32.32 CVEs
< 1.12.61 CVE
< 1.26.81 CVE
< 1.27.71 CVE
< 1.29.121 CVE
< 1.30.101 CVE
< 1.31.81 CVE
< 1.33.101 CVE
<= 1.32.0, < 1.32.101 CVE
<= 1.33.111 CVE
> 1.18.0, <= 1.27.51 CVE
>= 1.13.0, < 1.13.41 CVE
>= 1.13.0, < 1.27.51 CVE
>= 1.13.0, <= 1.30.11 CVE
>= 1.14.0, < 1.14.41 CVE
>= 1.23.0, < 1.23.111 CVE
>= 1.24.0, < 1.24.91 CVE
>= 1.25.0, < 1.25.81 CVE
>= 1.26.0, < 1.26.31 CVE
>= 1.27.0, < 1.27.41 CVE
>= 1.28.0, < 1.28.21 CVE
>= 1.28.0, < 1.28.31 CVE
>= 1.28.0, < 1.28.51 CVE
>= 1.29.0, < 1.29.31 CVE
>= 1.29.0, < 1.29.41 CVE
>= 1.29.0, < 1.29.71 CVE
>= 1.30.0, < 1.30.41 CVE
>= 1.30.0, < 1.30.81 CVE
>= 1.30.0, < 1.30.91 CVE
>= 1.30.0, < 11.30.11 CVE
>= 1.31.0, < 1.31.41 CVE
>= 1.31.0, < 1.31.61 CVE
>= 1.32.0, < 1.32.21 CVE
>= 1.32.0, < 1.32.41 CVE
>= 1.32.0, < 1.32.61 CVE
>= 1.33.0, < 1.33.11 CVE
>= 1.33.0, < 1.33.31 CVE
>= 1.33.0, < 1.33.71 CVE
>= 1.34.0, < 1.34.11 CVE
>= 1.34.0, < 1.34.91 CVE
>= 1.34.0, <= 1.34.91 CVE
>= 1.35.0, < 1.35.51 CVE
>= 1.350, <= 1.35.51 CVE
>= 1.36.0, < 1.36.11 CVE
>= 1.36.0, <= 1.36.11 CVE
>= 1.7.0, < 1.18.61 CVE
0.3.01 CVE
0.5.01 CVE
0.6.01 CVE
1.0.01 CVE
1.0.0-snapshot.01 CVE
1.0.0-snapshot.11 CVE
1.0.0-snapshot.21 CVE
1.1.01 CVE
1.1.0-rc.01 CVE
1.1.0-rc.11 CVE
1.1.0-rc.21 CVE
1.1.0-rc.31 CVE
1.1.0-rc.41 CVE
1.1.0-rc.51 CVE
1.1.0-rc.61 CVE
1.1.0-snapshot.21 CVE
1.1.0-snapshot.31 CVE
1.1.0-snapshot.41 CVE
1.1.0-snapshot.51 CVE
1.1.0-snapshot.61 CVE
1.1.0.snapshot.01 CVE
1.1.0.snapshot.11 CVE
1.1.11 CVE
1.1.21 CVE
1.1.31 CVE
1.1.41 CVE
1.1.51 CVE
1.1.61 CVE
1.1.71 CVE
1.2.0-rc.01 CVE
1.2.0-rc.31 CVE
1.3.01 CVE
1.3.11 CVE
1.3.21 CVE
1.3.31 CVE
1.5.01 CVE
1.5.0-alpha.01 CVE
1.5.0-beta.31 CVE
1.5.0-beta.41 CVE
1.5.0-beta.51 CVE
1.5.11 CVE
v1.14.41 CVE
v1.14.51 CVE
v1.14.61 CVE
v1.15.11 CVE
v1.15.21 CVE
v1.15.31 CVE
v1.16.31 CVE
v1.17.21 CVE
v1.26.71 CVE
v1.27.61 CVE
v1.29.101 CVE
v1.29.111 CVE
v1.29.91 CVE
v1.30.91 CVE
v1.31.61 CVE
v1.31.71 CVE
v1.32.41 CVE
v1.32.51 CVE

Fixed in

1.18.48 CVEs
1.20.28 CVEs
4aaf9593152c6996b9da384c8918e9ad4f0abd4d8 CVEs
bef18019d8fc33a4ed6aca3679aff2100241ac5e8 CVEs
1.28.47 CVEs
1.29.57 CVEs
1.30.27 CVEs
0de60452be1fa329c16076916b6bfe1f672aeed46 CVEs
1.17.46 CVEs
1.18.66 CVEs
1.19.36 CVEs
1.22.96 CVEs
1.23.66 CVEs

Find a version

98 CVEs

Sort

Envoy global rate limit may crash when the response phase limit is enabled and the response phase request is failed directly
CVE-2026-26330
Patch
CWE-416
Medium · CVSS 5.3
EPSS 0.0% (0th pct)2026-03-10
Envoy HTTP: filter chain execution on reset streams causing UAF crash
CVE-2026-26311
Public exploit
Patch
CWE-416
Medium · CVSS 5.9
EPSS 0.0% (6th pct)2026-03-10
Crash for scoped ip address in Envoy during DNS
CVE-2026-26310
Patch
CWE-20
Medium · CVSS 5.9
EPSS 0.0% (1th pct)2026-03-10
Envoy has an off-by-one write in JsonEscaper::escapeString()
CVE-2026-26309
Patch
CWE-193
Medium · CVSS 5.3
EPSS 0.0% (0th pct)2026-03-10
Envoy has an RBAC Header Validation Bypass via Multi-Value Header Concatenation
CVE-2026-26308
Patch
CWE-863
High · CVSS 7.5
EPSS 0.0% (0th pct)2026-03-10
Envoy’s TLS certificate matcher for `match_typed_subject_alt_names` may incorrectly treat certificates containing an embedded null byte
CVE-2025-66220
Public exploit
Patch
CWE-170
Medium · CVSS 5.0
EPSS 0.0% (0th pct)2025-12-03
Envoy forwards early CONNECT data in TCP proxy mode
CVE-2025-64763
Patch
CWE-693
Low · CVSS 3.7
EPSS 0.0% (0th pct)2025-12-03
Envoy crashes when JWT authentication is configured with the remote JWKS fetching
CVE-2025-64527
Patch
CWE-476
Medium · CVSS 6.5
EPSS 0.0% (0th pct)2025-12-03
Envoy Lua filter use-after-free when oversized rewritten response body causes crash
CVE-2025-62504
Patch
CWE-416
Medium · CVSS 6.5
EPSS 0.0% (6th pct)2025-10-16
Envoy allows large requests and responses to cause TCP connection pool crash
CVE-2025-62409
Public exploit
Patch
CWE-476
Medium · CVSS 6.6
EPSS 0.0% (2th pct)2025-10-16
Envoy: oAuth2 Filter Signout route will not clear cookies because of missing "secure;" flag
CVE-2025-55162
Public exploit
Patch
CWE-613
Medium · CVSS 6.3
EPSS 0.0% (2th pct)2025-09-03
Envoy: Race condition in Dynamic Forward Proxy leads to use-after-free and segmentation faults
CVE-2025-54588
Patch
CWE-416
High · CVSS 7.5
EPSS 0.0% (3th pct)2025-09-02
Envoy vulnerable to bypass of RBAC uri_template permission
CVE-2025-46821
Patch
CWE-186
Medium · CVSS 5.3
EPSS 0.1% (20th pct)2025-05-07
Envoy crashes when HTTP ext_proc processes local replies
CVE-2025-30157
Public exploit
Patch
CWE-460
Medium · CVSS 6.5
EPSS 0.0% (14th pct)2025-03-21
High vulnerability · 2024-12-18
CVE-2024-53271
Public exploit
Patch
CWE-670
High · CVSS 7.1
EPSS 0.0% (11th pct)2024-12-18
High vulnerability · 2024-12-18
CVE-2024-53270
Public exploit
Patch
CWE-670
High · CVSS 7.5
EPSS 0.0% (5th pct)2024-12-18
Medium vulnerability · 2024-12-18
CVE-2024-53269
Public exploit
Patch
CWE-670
Medium · CVSS 4.5
EPSS 0.0% (4th pct)2024-12-18
Medium vulnerability · 2024-09-19
CVE-2024-45806
Public exploit
Patch
CWE-639
Medium · CVSS 6.5
EPSS 0.2% (48th pct)2024-09-19
oghttp2 crash on OnBeginHeadersForStream in envoy
CVE-2024-45807
Patch
CWE-670
High · CVSS 7.5
EPSS 0.1% (27th pct)2024-09-19
Medium vulnerability · 2024-09-19
CVE-2024-45808
Public exploit
Patch
CWE-117
Medium · CVSS 6.5
EPSS 0.1% (18th pct)2024-09-19
Medium vulnerability · 2024-09-19
CVE-2024-45809
Patch
CWE-119
Medium · CVSS 5.3
EPSS 0.1% (32th pct)2024-09-19
Envoy crashes for LocalReply in http async client
CVE-2024-45810
Patch
CWE-119
Medium · CVSS 6.5
EPSS 0.0% (7th pct)2024-09-19
Medium vulnerability · 2024-07-01
CVE-2024-39305
Patch
CWE-416
Medium · CVSS 6.5
EPSS 0.0% (15th pct)2024-07-01
Medium vulnerability · 2024-06-04
CVE-2024-32974
Patch
CWE-416
Medium · CVSS 5.9
EPSS 0.0% (6th pct)2024-06-04
Medium vulnerability · 2024-06-04
CVE-2024-32975
Public exploit
Patch
CWE-191
Medium · CVSS 5.9
EPSS 0.0% (9th pct)2024-06-04
High vulnerability · 2024-06-04
CVE-2024-32976
Public exploit
Patch
CWE-835
High · CVSS 7.5
EPSS 0.0% (9th pct)2024-06-04
Medium vulnerability · 2024-06-04
CVE-2024-34362
Public exploit
Patch
CWE-416
Medium · CVSS 5.9
EPSS 0.0% (6th pct)2024-06-04
High vulnerability · 2024-06-04
CVE-2024-34363
Patch
CWE-248
High · CVSS 7.5
EPSS 0.0% (9th pct)2024-06-04
Envoy OOM vector from HTTP async client with unbounded response buffer for mirror response
CVE-2024-34364
Patch
CWE-400
Medium · CVSS 5.7
EPSS 0.0% (7th pct)2024-06-04
Medium vulnerability · 2024-06-04
CVE-2024-23326
Patch
CWE-391
Medium · CVSS 5.9
EPSS 0.1% (24th pct)2024-06-04

Showing 30 of 98

envoyproxy envoy Vulnerabilities

Overview

Severity and exploitation

Affected versions and CVEs

Specific versions

Fixed in

Common weakness types

Disclosure activity by year

Other envoyproxy products

Frequently asked questions

How many CVEs does envoyproxy envoy have?

How many envoyproxy envoy CVEs are in CISA KEV?

Are there public exploits for envoyproxy envoy vulnerabilities?

Which versions of envoyproxy envoy are affected?

What are the most common weakness types in envoyproxy envoy CVEs?

How many critical envoyproxy envoy vulnerabilities are there?

What is the average severity of envoyproxy envoy CVEs?

References

Track envoyproxy envoy vulnerabilities