CVE-2025-62504: CWE-416: Use After Free in envoyproxy envoy
Envoy is an open source edge and service proxy. Envoy versions earlier than 1.36.2, 1.35.6, 1.34.10, and 1.33.12 contain a use-after-free vulnerability in the Lua filter. When a Lua script executing in the response phase rewrites a response body so that its size exceeds the configured per_connection_buffer_limit_bytes (default 1MB), Envoy generates a local reply whose headers override the original response headers, leaving dangling references and causing a crash. This results in denial of service. Updating to versions 1.36.2, 1.35.6, 1.34.10, or 1.33.12 fixes the issue. Increasing per_connection_buffer_limit_bytes (and for HTTP/2 the initial_stream_window_size) or increasing per_request_buffer_limit_bytes / request_body_buffer_limit can reduce the likelihood of triggering the condition but does not correct the underlying memory safety flaw.
AI Analysis
Technical Summary
CVE-2025-62504 is a use-after-free vulnerability classified under CWE-416 found in the Lua filter component of the Envoy proxy, an open-source edge and service proxy widely used in cloud-native environments. The flaw manifests when a Lua script, executing during the response phase, rewrites the response body such that its size exceeds the configured per_connection_buffer_limit_bytes (defaulting to 1MB). Under these conditions, Envoy attempts to generate a local reply to handle the oversized response, replacing the original response headers. However, this process leaves dangling pointers referencing freed memory, causing a use-after-free scenario that results in a crash of the Envoy process, effectively causing a denial of service (DoS). The vulnerability affects multiple Envoy versions prior to 1.36.2, 1.35.6, 1.34.10, and 1.33.12, with affected version ranges including 1.33.x through 1.36.1. Exploitation requires low privileges (PR:L) but no user interaction (UI:N), and the attack vector is network-based (AV:N), meaning an attacker can trigger the crash remotely by sending crafted responses that cause the Lua script to exceed buffer limits. While increasing buffer limits such as per_connection_buffer_limit_bytes and HTTP/2 initial_stream_window_size can reduce the likelihood of triggering the vulnerability, these are mitigations rather than fixes, as the underlying memory safety issue remains. The definitive remediation is upgrading to the patched Envoy versions. No known exploits are currently reported in the wild, but the medium CVSS score (6.5) reflects the moderate impact and ease of exploitation. This vulnerability primarily impacts availability, as it causes service crashes without compromising confidentiality or integrity.
Potential Impact
For European organizations, the primary impact of CVE-2025-62504 is service disruption due to denial of service. Envoy is commonly deployed as an edge proxy or service mesh component in cloud-native infrastructures, including microservices architectures prevalent in many European enterprises and cloud providers. A successful exploitation can cause Envoy instances to crash, leading to downtime or degraded service availability, which can affect customer-facing applications, internal services, or critical infrastructure. This disruption can have cascading effects in environments relying heavily on Envoy for traffic routing, load balancing, and security enforcement. Additionally, organizations in regulated sectors such as finance, healthcare, and telecommunications may face compliance and operational risks if service availability is compromised. The vulnerability does not directly expose data confidentiality or integrity but can indirectly impact business continuity and service-level agreements (SLAs). Given the network-based attack vector and low privilege requirement, attackers within or outside the network could exploit this flaw to disrupt services.
Mitigation Recommendations
The primary mitigation is to upgrade Envoy to one of the patched versions: 1.36.2, 1.35.6, 1.34.10, or 1.33.12, depending on the currently deployed version. Organizations should prioritize testing and deploying these updates in their production environments promptly. As an interim measure, increasing the per_connection_buffer_limit_bytes and, for HTTP/2 traffic, the initial_stream_window_size can reduce the chance of triggering the vulnerability, but this does not eliminate the underlying use-after-free condition and should not be considered a long-term fix. Similarly, increasing per_request_buffer_limit_bytes or request_body_buffer_limit may help but is insufficient alone. It is also advisable to audit Lua scripts used in Envoy filters to identify any that rewrite response bodies and assess their behavior relative to buffer limits. Monitoring Envoy logs and metrics for unexpected crashes or restarts can help detect exploitation attempts. Network segmentation and limiting exposure of Envoy instances to untrusted networks can reduce attack surface. Finally, organizations should incorporate this vulnerability into their incident response and vulnerability management workflows to ensure timely remediation.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Switzerland, Italy
CVE-2025-62504: CWE-416: Use After Free in envoyproxy envoy
Description
Envoy is an open source edge and service proxy. Envoy versions earlier than 1.36.2, 1.35.6, 1.34.10, and 1.33.12 contain a use-after-free vulnerability in the Lua filter. When a Lua script executing in the response phase rewrites a response body so that its size exceeds the configured per_connection_buffer_limit_bytes (default 1MB), Envoy generates a local reply whose headers override the original response headers, leaving dangling references and causing a crash. This results in denial of service. Updating to versions 1.36.2, 1.35.6, 1.34.10, or 1.33.12 fixes the issue. Increasing per_connection_buffer_limit_bytes (and for HTTP/2 the initial_stream_window_size) or increasing per_request_buffer_limit_bytes / request_body_buffer_limit can reduce the likelihood of triggering the condition but does not correct the underlying memory safety flaw.
AI-Powered Analysis
Technical Analysis
CVE-2025-62504 is a use-after-free vulnerability classified under CWE-416 found in the Lua filter component of the Envoy proxy, an open-source edge and service proxy widely used in cloud-native environments. The flaw manifests when a Lua script, executing during the response phase, rewrites the response body such that its size exceeds the configured per_connection_buffer_limit_bytes (defaulting to 1MB). Under these conditions, Envoy attempts to generate a local reply to handle the oversized response, replacing the original response headers. However, this process leaves dangling pointers referencing freed memory, causing a use-after-free scenario that results in a crash of the Envoy process, effectively causing a denial of service (DoS). The vulnerability affects multiple Envoy versions prior to 1.36.2, 1.35.6, 1.34.10, and 1.33.12, with affected version ranges including 1.33.x through 1.36.1. Exploitation requires low privileges (PR:L) but no user interaction (UI:N), and the attack vector is network-based (AV:N), meaning an attacker can trigger the crash remotely by sending crafted responses that cause the Lua script to exceed buffer limits. While increasing buffer limits such as per_connection_buffer_limit_bytes and HTTP/2 initial_stream_window_size can reduce the likelihood of triggering the vulnerability, these are mitigations rather than fixes, as the underlying memory safety issue remains. The definitive remediation is upgrading to the patched Envoy versions. No known exploits are currently reported in the wild, but the medium CVSS score (6.5) reflects the moderate impact and ease of exploitation. This vulnerability primarily impacts availability, as it causes service crashes without compromising confidentiality or integrity.
Potential Impact
For European organizations, the primary impact of CVE-2025-62504 is service disruption due to denial of service. Envoy is commonly deployed as an edge proxy or service mesh component in cloud-native infrastructures, including microservices architectures prevalent in many European enterprises and cloud providers. A successful exploitation can cause Envoy instances to crash, leading to downtime or degraded service availability, which can affect customer-facing applications, internal services, or critical infrastructure. This disruption can have cascading effects in environments relying heavily on Envoy for traffic routing, load balancing, and security enforcement. Additionally, organizations in regulated sectors such as finance, healthcare, and telecommunications may face compliance and operational risks if service availability is compromised. The vulnerability does not directly expose data confidentiality or integrity but can indirectly impact business continuity and service-level agreements (SLAs). Given the network-based attack vector and low privilege requirement, attackers within or outside the network could exploit this flaw to disrupt services.
Mitigation Recommendations
The primary mitigation is to upgrade Envoy to one of the patched versions: 1.36.2, 1.35.6, 1.34.10, or 1.33.12, depending on the currently deployed version. Organizations should prioritize testing and deploying these updates in their production environments promptly. As an interim measure, increasing the per_connection_buffer_limit_bytes and, for HTTP/2 traffic, the initial_stream_window_size can reduce the chance of triggering the vulnerability, but this does not eliminate the underlying use-after-free condition and should not be considered a long-term fix. Similarly, increasing per_request_buffer_limit_bytes or request_body_buffer_limit may help but is insufficient alone. It is also advisable to audit Lua scripts used in Envoy filters to identify any that rewrite response bodies and assess their behavior relative to buffer limits. Monitoring Envoy logs and metrics for unexpected crashes or restarts can help detect exploitation attempts. Network segmentation and limiting exposure of Envoy instances to untrusted networks can reduce attack surface. Finally, organizations should incorporate this vulnerability into their incident response and vulnerability management workflows to ensure timely remediation.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-10-15T15:03:28.132Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68f1639f9f8a5dbaea0c0fc7
Added to database: 10/16/2025, 9:29:03 PM
Last enriched: 10/16/2025, 9:44:06 PM
Last updated: 10/19/2025, 12:02:52 PM
Views: 52
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-11940: Uncontrolled Search Path in LibreWolf
HighCVE-2025-11939: Path Traversal in ChurchCRM
MediumCVE-2025-11938: Deserialization in ChurchCRM
MediumAI Chat Data Is History's Most Thorough Record of Enterprise Secrets. Secure It Wisely
MediumAI Agent Security: Whose Responsibility Is It?
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.