CVE-2025-64527 is a vulnerability classified under CWE-476 (NULL Pointer Dereference) affecting the Envoy proxy, a widely used high-performance edge and service proxy. The issue exists in versions 1.33.12 and earlier, as well as in specific ranges up to 1.36.2. The vulnerability manifests when JWT authentication is configured to fetch JWKS (JSON Web Key Sets) remotely, with the allow_missing_or_failed flag enabled. If multiple JWT tokens are included in request headers and the JWKS fetch for the first token fails, the onJwksError() callback triggers processing of the second token, which calls fetch() again on the same JwksFetcherImpl instance. Due to a re-entry bug, the original callback's reset() method clears internal state variables (receiver_ and request_) of the second fetch operation. When the asynchronous HTTP response for the second fetch arrives, the cleared state causes a NULL pointer dereference, crashing the Envoy process. This crash results in a denial of service (DoS) condition, impacting availability but not confidentiality or integrity. The vulnerability requires low privileges (PR:L), no user interaction (UI:N), and can be exploited remotely (AV:N). The CVSS v3.1 base score is 6.5, indicating medium severity. No public exploits have been reported to date. The root cause is improper state management in asynchronous JWKS fetching logic under specific JWT authentication configurations.

The primary impact of CVE-2025-64527 is on the availability of Envoy proxy services. A successful exploitation causes the Envoy process to crash, resulting in denial of service. For European organizations, this can disrupt critical edge, middle, or service proxy functions, potentially affecting web application delivery, API gateways, and microservices communication. Organizations relying on JWT authentication with remote JWKS fetching and the allow_missing_or_failed option are particularly vulnerable. Disruptions could lead to service outages, degraded user experience, and operational downtime. Although the vulnerability does not compromise confidentiality or integrity, the loss of availability can have cascading effects on business continuity, especially in sectors like finance, healthcare, and public services where Envoy is deployed. The medium severity score reflects the moderate risk given the ease of triggering the crash remotely without user interaction, but limited to specific configurations and versions. European cloud providers, telecom operators, and enterprises with modern service mesh architectures are at higher risk due to their adoption of Envoy in production environments.

To mitigate CVE-2025-64527, European organizations should immediately identify Envoy proxy instances running affected versions (<=1.36.2, including 1.33.12 and earlier). The primary remediation is to upgrade Envoy to a patched version where this NULL pointer dereference bug is fixed; organizations should monitor official Envoy releases and security advisories for updates. As a temporary workaround, administrators can disable the allow_missing_or_failed option in JWT authentication configurations to prevent the re-entry bug from triggering. Additionally, reviewing JWT token handling to limit multiple tokens in request headers can reduce exposure. Implementing robust monitoring and alerting for Envoy process crashes will help detect exploitation attempts early. Network-level protections such as rate limiting and filtering suspicious requests with multiple JWT tokens can further reduce risk. Finally, conducting thorough testing of JWT authentication flows in staging environments before deployment can prevent misconfigurations that enable this vulnerability.