GHSA-3cw6-2j68-868p

Suggest an improvement
Source
https://github.com/advisories/GHSA-3cw6-2j68-868p
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-3cw6-2j68-868p/GHSA-3cw6-2j68-868p.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-3cw6-2j68-868p
Aliases
Published
2026-03-10T18:16:26Z
Modified
2026-03-12T09:26:05.418488Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Envoy vulnerable to crash for scoped ip address during DNS
Details

Summary

Calling Utility::getAddressWithPort with a scoped IPv6 addresses causes a crash. This utility is called in the data plane from the original_src filter and the dns filter.

Details

The crashing function is Utility::getAddressWithPort. The crash occurs if a string containing a scoped IPv6 address is passed to this function.

This vulnerability affects:

  1. The original src filter: If the filter is configured and the original source is a scoped IPv6 address, it will cause a crash.
  2. DNS response address resolution: If a DNS response contains a scoped IPv6 address, this will also trigger the crash.

PoC

To reproduce the vulnerability:

  1. Method A (Original Src Filter): Configure the original src filter in Envoy and provide a scoped IPv6 address as the original source.
  2. Method B (DNS Resolution): Trigger a DNS resolution process within Envoy where the DNS response contains a scoped IPv6 address.

Impact

This is a Denial of Service (DoS) vulnerability. It impacts users who have the original src filter configured or whose Envoy instances resolve addresses from DNS responses that may contain scoped IPv6 addresses.

Database specific 
{
    "github_reviewed_at": "2026-03-10T18:16:26Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-20"
    ],
    "nvd_published_at": "2026-03-10T20:16:36Z"
}
References

Affected packages

Go
github.com/envoyproxy/envoy

Package

Name
github.com/envoyproxy/envoy
View open source insights on deps.dev
Purl
pkg:golang/github.com/envoyproxy/envoy

Affected ranges

Affected versions

1.*
1.37.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-3cw6-2j68-868p/GHSA-3cw6-2j68-868p.json"
github.com/envoyproxy/envoy

Package

Name
github.com/envoyproxy/envoy
View open source insights on deps.dev
Purl
pkg:golang/github.com/envoyproxy/envoy

Affected ranges

Type
SEMVER
Events
Introduced
1.36.0
Last affected
1.36.4

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-3cw6-2j68-868p/GHSA-3cw6-2j68-868p.json"
github.com/envoyproxy/envoy

Package

Name
github.com/envoyproxy/envoy
View open source insights on deps.dev
Purl
pkg:golang/github.com/envoyproxy/envoy

Affected ranges

Type
SEMVER
Events
Introduced
1.35.0
Last affected
1.35.8

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-3cw6-2j68-868p/GHSA-3cw6-2j68-868p.json"
github.com/envoyproxy/envoy

Package

Name
github.com/envoyproxy/envoy
View open source insights on deps.dev
Purl
pkg:golang/github.com/envoyproxy/envoy

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
1.34.12

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-3cw6-2j68-868p/GHSA-3cw6-2j68-868p.json"