CVE-2025-30157 Overview
CVE-2025-30157 is a Denial of Service vulnerability affecting Envoy, a cloud-native high-performance edge/middle/service proxy. The vulnerability exists in Envoy's ext_proc HTTP filter, which is at risk of crashing when a local reply is sent to the external server due to a filter lifetime management issue. A known exploitation scenario involves the failure of a WebSocket handshake triggering a local reply, which subsequently causes the Envoy proxy to crash.
Critical Impact
Attackers can remotely trigger a denial of service condition by causing WebSocket handshake failures or other conditions that generate local replies, leading to Envoy proxy crashes and service disruption.
Affected Products
- Envoy versions prior to 1.33.1
- Envoy versions prior to 1.32.4
- Envoy versions prior to 1.31.6
- Envoy versions prior to 1.30.10
- Envoy version 1.33.0
Discovery Timeline
- 2025-03-21 - CVE-2025-30157 published to NVD
- 2025-04-01 - Last updated in NVD database
Technical Details for CVE-2025-30157
Vulnerability Analysis
This vulnerability stems from improper cleanup of upstream requests when local replies are generated in the router filter. The ext_proc HTTP filter in Envoy processes external requests, but when a local reply scenario occurs (such as a timeout during host selection or a failed WebSocket handshake), the filter's lifetime management fails to properly clean up associated resources. This creates a use-after-free or dangling reference condition that results in a crash.
The vulnerability is classified under CWE-460 (Improper Cleanup on Thrown Exception), indicating that the root cause involves inadequate resource cleanup during error handling paths. When an error condition triggers a local reply, the upstream request resources are not properly reset, leaving the filter in an inconsistent state that leads to the crash.
Root Cause
The root cause lies in the router filter's onLocalReply handler, which previously only handled cancellation of host selection but failed to clean up the upstream_requests_ collection. When a local reply was generated (for example, during a failed WebSocket handshake or timeout), the upstream requests remained in an invalid state. Subsequent operations on these stale requests caused the Envoy proxy to crash.
The fix introduces a call to resetAll() within the onLocalReply handler, ensuring that all upstream requests are properly cleaned up when a local reply is generated. This is controlled by a new runtime feature flag envoy.reloadable_features.router_filter_resetall_on_local_reply.
Attack Vector
An attacker can exploit this vulnerability remotely over the network without authentication. The attack vector involves:
- Initiating connections to an Envoy proxy configured with the ext_proc HTTP filter
- Triggering conditions that cause local reply generation, such as malformed WebSocket handshake requests
- The failed handshake triggers a local reply path that does not properly clean up resources
- The resulting crash causes denial of service for all traffic routed through the affected Envoy instance
// Security patch in source/common/router/router.h
// Source: https://github.com/envoyproxy/envoy/commit/8eda1b8ef5ba8663d16a737ab99458c039a9b53c
// Http::StreamFilterBase
void onDestroy() override;
- // If there's a local reply (e.g. timeout) during host selection, cancel host
- // selection.
Http::LocalErrorStatus onLocalReply(const LocalReplyData&) override {
+ // If there's a local reply (e.g. timeout) during host selection, cancel host
+ // selection.
if (host_selection_cancelable_) {
host_selection_cancelable_->cancel();
host_selection_cancelable_.reset();
}
+
+ // Clean up the upstream_requests_.
+ if (Runtime::runtimeFeatureEnabled(
+ "envoy.reloadable_features.router_filter_resetall_on_local_reply")) {
+ resetAll();
+ }
return Http::LocalErrorStatus::Continue;
}
The patch adds a critical resetAll() call that ensures upstream requests are properly cleaned up when a local reply is generated, preventing the crash condition.
Detection Methods for CVE-2025-30157
Indicators of Compromise
- Unexpected Envoy proxy crashes or restarts, particularly during WebSocket connection attempts
- Increased frequency of service mesh connection failures or timeouts
- Log entries indicating ext_proc filter errors followed by process termination
- Spike in failed WebSocket handshake attempts in proxy logs
Detection Strategies
- Monitor Envoy proxy health metrics for unexpected restarts or crash events
- Implement alerting on Envoy process termination signals (SIGSEGV, SIGABRT)
- Review access logs for patterns of failed WebSocket upgrade requests preceding crashes
- Enable debug logging on ext_proc filter to capture detailed error conditions
Monitoring Recommendations
- Configure container orchestration platforms (Kubernetes, etc.) to alert on repeated Envoy pod restarts
- Implement distributed tracing to identify connection patterns that precede service disruptions
- Set up log aggregation queries to detect correlations between WebSocket failures and proxy crashes
- Monitor for anomalous connection patterns that may indicate active exploitation attempts
How to Mitigate CVE-2025-30157
Immediate Actions Required
- Upgrade Envoy to patched versions: 1.33.1, 1.32.4, 1.31.6, or 1.30.10 immediately
- If immediate upgrade is not possible, consider temporarily disabling the ext_proc HTTP filter if not critical to operations
- Review and restrict network access to Envoy proxies from untrusted sources
- Implement rate limiting on WebSocket upgrade requests to reduce potential attack surface
Patch Information
The vulnerability is fixed in Envoy versions 1.33.1, 1.32.4, 1.31.6, and 1.30.10. The fix introduces two new runtime feature flags:
- envoy.reloadable_features.router_filter_resetall_on_local_reply - Enables cleanup of upstream requests on local reply
- envoy.reloadable_features.skip_ext_proc_on_local_reply - Skips ext_proc processing for local replies
For detailed patch information, refer to the GitHub Security Advisory GHSA-cf3q-gqg7-3fm9 and the commit 8eda1b8ef5ba8663d16a737ab99458c039a9b53c.
Workarounds
- Disable the ext_proc HTTP filter in Envoy configuration if it is not required for your deployment
- Implement upstream load balancer health checks to quickly detect and remove crashed Envoy instances from rotation
- Deploy multiple Envoy replicas behind a load balancer to maintain availability if individual instances crash
- Use network policies to restrict access to Envoy management interfaces and limit exposure to potential attackers
# Configuration example - Disable ext_proc filter if not required
# In your Envoy configuration, remove or comment out the ext_proc filter:
#
# http_filters:
# # - name: envoy.filters.http.ext_proc # DISABLED - CVE-2025-30157
# # typed_config:
# # "@type": type.googleapis.com/envoy.extensions.filters.http.ext_proc.v3.ExternalProcessor
# - name: envoy.filters.http.router
# typed_config:
# "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
