CVE-2025-46821 Information
Description
Envoy is a cloud-native edge/middle/service proxy. Prior to versions 1.34.1 1.33.3 1.32.6 and 1.31.8 Envoy’s URI template matcher incorrectly excludes the character from a set of valid characters in the URI path. As a result URI path containing the character will not match a URI template expressions. This can result in bypass of RBAC rules when configured using the uri_template permissions. This vulnerability is fixed in Envoy versions v1.34.1 v1.33.3 v1.32.6 v1.31.8. As a workaround configure additional RBAC permissions using url_path with safe_regex expression.
Reference
https://github.com/envoyproxy/envoy/security/advisories/GHSA-c7cm-838g-6g67
Envoy
is
a
cloud-native
edge/middle/service
proxy.
Prior
to
versions
1.34.1
1.33.3
1.32.6
and
1.31.8
Envoy’s
URI
template
matcher
incorrectly
excludes
the
*
character
from
a
set
of
valid
characters
in
the
URI
path.
As
a
result
URI
path
containing
the
*
character
will
not
match
a
URI
template
expressions.
This
can
result
in
bypass
of
RBAC
rules
when
configured
using
the
uri_template
permissions.
This
vulnerability
is
fixed
in
Envoy
versions
v1.34.1
v1.33.3
v1.32.6
v1.31.8.
As
a
workaround
configure
additional
RBAC
permissions
using
url_path
with
safe_regex
expression.