CVE-2025-62504 Overview
CVE-2025-62504 is a use-after-free vulnerability affecting Envoy, a widely deployed open source edge and service proxy used extensively in cloud-native environments and service mesh architectures. The vulnerability exists in the Lua filter component and can be triggered when a Lua script executing in the response phase rewrites a response body so that its size exceeds the configured per_connection_buffer_limit_bytes (default 1MB). When this condition occurs, Envoy generates a local reply whose headers override the original response headers, leaving dangling references that cause a crash and result in denial of service.
Critical Impact
This use-after-free vulnerability can cause Envoy proxy instances to crash, resulting in denial of service for applications and microservices relying on Envoy for traffic management. Organizations running Envoy in production service mesh deployments may experience significant availability impacts.
Affected Products
- Envoy versions earlier than 1.36.2
- Envoy versions earlier than 1.35.6
- Envoy versions earlier than 1.34.10
- Envoy versions earlier than 1.33.12
Discovery Timeline
- 2025-10-16 - CVE-2025-62504 published to NVD
- 2025-10-29 - Last updated in NVD database
Technical Details for CVE-2025-62504
Vulnerability Analysis
This vulnerability is classified as CWE-416 (Use After Free), a memory corruption vulnerability type. The flaw resides in how Envoy handles response body modifications performed by Lua filter scripts during the response processing phase. When a Lua script modifies a response body to exceed the per_connection_buffer_limit_bytes threshold, Envoy's internal error handling mechanism generates a local reply. However, this process incorrectly overrides the original response headers without properly managing memory references, creating dangling pointers that lead to a use-after-free condition.
The attack can be performed remotely without authentication, requires no user interaction, and has low complexity to execute. The vulnerability specifically impacts availability—while there is no confidentiality or integrity impact, the denial of service condition can significantly affect production environments where Envoy serves as a critical infrastructure component.
Root Cause
The root cause is a memory safety flaw in Envoy's Lua filter implementation. When the response body size exceeds the configured buffer limits, the error handling path that generates local replies fails to properly manage the lifecycle of response header objects. The original response headers are overwritten by the local reply headers, but existing references to the original headers are not invalidated, resulting in dangling pointers that cause memory corruption when subsequently accessed.
Attack Vector
An attacker can exploit this vulnerability remotely over the network by crafting requests that trigger Lua scripts to generate oversized response bodies. The attack vector is network-based and does not require authentication or user interaction, making it accessible to remote unauthenticated attackers who can send requests through an Envoy proxy configured with Lua filters.
The exploitation scenario involves:
- Identifying an Envoy deployment using Lua filters in the response processing phase
- Crafting requests designed to trigger Lua scripts that modify response bodies
- Ensuring the modified response body exceeds the per_connection_buffer_limit_bytes threshold
- The resulting use-after-free condition causes Envoy to crash, denying service
The vulnerability manifests in the response body rewriting logic within the Lua filter. When the modified response exceeds buffer limits, Envoy's local reply generation creates dangling references to response headers that have been freed or overwritten. Technical details are available in the GitHub Security Advisory.
Detection Methods for CVE-2025-62504
Indicators of Compromise
- Unexpected Envoy proxy crashes or restarts in environments using Lua filters
- Core dumps or crash reports indicating use-after-free memory errors
- Increased error rates or availability issues in services fronted by Envoy
- Log entries indicating buffer limit exceeded conditions during response processing
Detection Strategies
- Monitor Envoy access and error logs for patterns indicating buffer limit violations during Lua script execution
- Implement health checks that detect unexpected Envoy process restarts or crashes
- Use memory debugging tools in development environments to identify use-after-free conditions
- Deploy application performance monitoring to detect service degradation patterns consistent with proxy crashes
Monitoring Recommendations
- Enable detailed logging for Lua filter operations to capture response body size modifications
- Configure alerting on Envoy process crash events or unexpected container restarts
- Monitor memory usage patterns and crash frequencies across Envoy fleet deployments
- Implement circuit breakers to detect and respond to repeated proxy failures
How to Mitigate CVE-2025-62504
Immediate Actions Required
- Upgrade Envoy to patched versions: 1.36.2, 1.35.6, 1.34.10, or 1.33.12
- Review Lua filter configurations for scripts that modify response bodies
- Consider temporarily disabling Lua filters that perform response body modifications until patching is complete
- Implement monitoring for Envoy crashes and unusual restart patterns
Patch Information
Security patches have been released by Envoyproxy to address this vulnerability. Organizations should upgrade to the following fixed versions based on their current deployment:
- Version 1.36.x users: Upgrade to 1.36.2 or later
- Version 1.35.x users: Upgrade to 1.35.6 or later
- Version 1.34.x users: Upgrade to 1.34.10 or later
- Version 1.33.x users: Upgrade to 1.33.12 or later
Detailed patch information is available in the Envoy Security Advisory.
Workarounds
- Increase per_connection_buffer_limit_bytes to reduce the likelihood of triggering the condition (note: this does not fix the underlying memory safety flaw)
- For HTTP/2 connections, increase initial_stream_window_size configuration
- Increase per_request_buffer_limit_bytes or request_body_buffer_limit settings
- Limit or audit Lua scripts that modify response bodies to ensure they do not produce oversized responses
# Example configuration adjustment (workaround only - does not fix underlying vulnerability)
# Increase buffer limits in Envoy configuration
# listeners:
# - name: listener_0
# per_connection_buffer_limit_bytes: 10485760 # 10MB instead of default 1MB
#
# Note: Upgrading to patched versions is the recommended remediation
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
