CVE-2025-64527 is a NULL pointer dereference vulnerability in the Envoy proxy versions up to 1.36.2, specifically triggered when JWT authentication is configured to fetch JSON Web Key Sets (JWKS) remotely with the allow_missing_or_failed option enabled. The issue arises when multiple JWT tokens are present in request headers and the JWKS fetch operation fails. The root cause is a re-entrancy bug in the JwksFetcherImpl component: upon failure of the first token's JWKS fetch, the onJwksError() callback initiates processing of the second token, which calls fetch() again on the same fetcher object. However, the original callback's reset() method clears the internal state (receiver_ and request_) of the second fetch, causing a NULL pointer dereference when the asynchronous HTTP response arrives. This leads to a crash of the Envoy process, resulting in denial of service. The vulnerability does not impact confidentiality or integrity but affects availability. The CVSS v3.1 score is 6.5 (medium), reflecting network attack vector, low complexity, required privileges, no user interaction, and impact limited to availability. There are no known exploits in the wild at the time of publication. The affected versions include all releases up to 1.36.2, including 1.33.12, 1.34.10, 1.35.6, and 1.36.2. No official patches are linked yet, so users must monitor for updates or apply configuration changes to avoid triggering the bug.

The primary impact of CVE-2025-64527 is denial of service due to Envoy proxy crashes when specific JWT authentication and JWKS fetching configurations are used. For European organizations, this can disrupt critical edge, middle, or service proxy functions, potentially causing outages in microservices architectures, API gateways, or service meshes that rely on Envoy. Such disruptions can affect availability of web applications, internal services, and cloud infrastructure components. Organizations using Envoy for authentication enforcement with multiple JWT tokens and remote JWKS fetching are particularly vulnerable. This may impact sectors with high reliance on cloud-native deployments such as finance, telecommunications, and government services. While no data confidentiality or integrity loss occurs, the availability impact can lead to operational downtime, service degradation, and increased incident response costs. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits targeting this vulnerability.

To mitigate CVE-2025-64527, European organizations should: 1) Upgrade Envoy to a version where this vulnerability is fixed once the vendor releases a patch. 2) Until patches are available, avoid configuring JWT authentication with remote JWKS fetching combined with allow_missing_or_failed enabled when multiple JWT tokens are expected in request headers. 3) Implement monitoring and alerting on Envoy process crashes to detect potential exploitation attempts or misconfigurations. 4) Consider limiting the number of JWT tokens accepted per request or disabling allow_missing_or_failed to prevent triggering the re-entrancy bug. 5) Use network segmentation and strict access controls to limit exposure of Envoy management interfaces and reduce the risk of unauthorized configuration changes. 6) Regularly review and audit JWT authentication policies and JWKS endpoints for reliability and availability to minimize fetch failures. 7) Engage with Envoy community and security advisories to promptly apply updates and recommended configurations.