CVE-2025-46821 is a medium severity vulnerability affecting the Envoy proxy, a widely used cloud-native edge, middle, and service proxy. The vulnerability arises from an overly restrictive regular expression in Envoy's URI template matcher prior to versions 1.34.1, 1.33.3, 1.32.6, and 1.31.8. Specifically, the URI template matcher incorrectly excludes the asterisk (*) character from the set of valid characters in the URI path. This exclusion causes URI paths containing the '*' character to fail matching against URI template expressions. When Role-Based Access Control (RBAC) rules are configured using the 'uri_template' permissions, this flaw can be exploited to bypass those RBAC rules because requests with '*' in the URI path are not properly matched and thus not correctly authorized. The vulnerability does not require authentication or user interaction and can be exploited remotely over the network. The CVSS v3.1 base score is 5.3, reflecting a medium severity with network attack vector, low complexity, no privileges required, and no user interaction. The impact is limited to confidentiality as the bypass could allow unauthorized access to resources protected by RBAC policies. The vulnerability has no known exploits in the wild as of the published date. The recommended fix is to upgrade to one of the patched versions of Envoy (v1.34.1, v1.33.3, v1.32.6, or v1.31.8). As a workaround, administrators can configure additional RBAC permissions using 'url_path' with 'safe_regex' expressions to cover URI paths containing '*'. This vulnerability is categorized under CWE-186 (Incorrect Regular Expression).

For European organizations, the impact of this vulnerability can be significant in environments where Envoy proxies are deployed to enforce fine-grained access control policies using RBAC with URI template matching. A successful bypass could allow unauthorized users or attackers to access sensitive internal services or data by crafting requests with '*' characters in the URI path, circumventing intended access restrictions. This could lead to unauthorized data exposure or access to internal APIs, potentially violating data protection regulations such as GDPR if personal or sensitive data is involved. The vulnerability does not directly affect integrity or availability but compromises confidentiality. Given Envoy's popularity in cloud-native and microservices architectures, especially in financial, telecommunications, and governmental sectors prevalent in Europe, the risk is non-trivial. However, the absence of known exploits in the wild and the medium CVSS score suggest that while the vulnerability is exploitable, it requires specific conditions and knowledge of the RBAC configuration to be effective.

European organizations should prioritize upgrading Envoy proxies to the fixed versions: v1.34.1, v1.33.3, v1.32.6, or v1.31.8 as soon as possible to fully remediate the vulnerability. Until upgrades can be applied, administrators should implement the recommended workaround by configuring RBAC permissions using 'url_path' with 'safe_regex' expressions that explicitly allow or deny URI paths containing the '*' character, ensuring that access control policies cover these cases. It is also advisable to audit existing RBAC policies that use 'uri_template' permissions to identify potential gaps caused by this vulnerability. Monitoring and logging of unusual URI paths containing '*' should be enabled to detect potential exploitation attempts. Additionally, organizations should review their Envoy deployment architectures to ensure that proxies are not exposed unnecessarily to untrusted networks and that network segmentation and firewall rules limit access to Envoy management and data planes. Regular vulnerability scanning and penetration testing focusing on RBAC bypass scenarios can help identify residual risks.