Contour, a Kubernetes ingress controller using Envoy proxy, has a code injection vulnerability (CWE-94) in its Cookie Rewriting feature. Versions from 1.19.0 to before 1.31.6, 1.32.5, and 1.33.4 allow attackers with RBAC permissions to inject Lua code via spec.routes[].cookieRewritePolicies[].pathRewrite.value fields. The injection occurs because user input is interpolated into Lua source code without sufficient sanitization using Go text/template. The injected code executes when processing traffic on the attacker-controlled route but can access Envoy's xDS client credentials or cause denial of service affecting other tenants sharing the Envoy instance. The vulnerability has a CVSS 3.1 score of 8.1 (high severity).

An attacker with permissions to create or modify HTTPProxy resources can execute arbitrary Lua code within the Envoy proxy process. This can lead to unauthorized reading of sensitive xDS client credentials and denial of service conditions impacting other tenants sharing the Envoy instance. The attack is limited to routes controlled by the attacker but leverages shared infrastructure to escalate impact. The vulnerability does not require user interaction and has a low attack complexity but requires some privileges (RBAC).

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The description notes that the vulnerability is fixed in Contour versions 1.33.4, 1.32.5, and 1.31.6. Users should upgrade to these or later versions to remediate the issue. Until patched, restrict RBAC permissions to prevent unauthorized creation or modification of HTTPProxy resources involving cookieRewritePolicies. Monitor vendor channels for official advisories and patches.