ISTIO-SECURITY-2025-002
CVEs reported by Envoy.
| Disclosure Details | |
|---|---|
| CVE(s) | CVE-2025-55162 CVE-2025-54588 |
| CVSS Impact Score | 6.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
| Affected Releases | 1.27.0 to 1.27.1 1.26.0 to 1.26.5 |
CVE
Envoy CVEs
- CVE-2025-62504: (CVSS score 6.5, Medium): Lua modified large enough response body will cause Envoy to crash.
- CVE-2025-62409: (CVSS score 6.6, Medium): Large requests and responses can cause TCP connection pool crash.
Am I Impacted?
You are impacted if you use Lua via EnvoyFilter that returns an oversized response body exceeding the per_connection_buffer_limit_bytes (default 1MB) or where you have large requests
and responses where a connection can be closed but data from upstream is still being sent.