Headline

GHSA-cf3q-gqg7-3fm9: Envoy crashes when HTTP ext_proc processes local replies

Summary

Envoy’s ext_proc HTTP filter is at risk of crashing if a local reply is sent to the external server due to the filter’s life time issue. A known situation is the fail of a websocket handshake will trigger a local reply leading to the crash of Envoy.

PoC

If both websocket and ext_proc are enabled, a failed handshake will trigger a local reply, thus ext_proc will crash.

Mitigation

Disable websocket traffic
Change the websocket response from backend to always return 101 Switch protocol based on RFC.
Apply the patch and the ext_proc filter will not send the local reply that is generated by Envoy to the ext_proc server for processing.
Apply the patch that the router will cancel the upstream requests when sending a local reply.

Impact

Denial of service

Reporter

Vasilios Syrakis Fernando Cainelli

1 month ago

ghsa

Open in Source

#web #ios #dos #git

GitHub Advisory Database
GitHub Reviewed
CVE-2025-30157

Envoy crashes when HTTP ext_proc processes local replies

Moderate severity GitHub Reviewed Published Mar 20, 2025 in envoyproxy/envoy • Updated Mar 21, 2025

Package

gomod github.com/envoyproxy/envoy (Go)

Affected versions

< 1.30.10

>= 1.31.0, < 1.31.6

>= 1.32.0, < 1.32.4

>= 1.33.0, < 1.33.1

Patched versions

1.30.10

1.31.6

1.32.4

1.33.1

Summary

PoC

If both websocket and ext_proc are enabled, a failed handshake will trigger a local reply, thus ext_proc will crash.

Mitigation

Disable websocket traffic
Change the websocket response from backend to always return 101 Switch protocol based on RFC.
Apply the patch and the ext_proc filter will not send the local reply that is generated by Envoy to the ext_proc server for processing.
Apply the patch that the router will cancel the upstream requests when sending a local reply.

Impact

Denial of service

Reporter

Vasilios Syrakis
Fernando Cainelli

References