GHSA-cf3q-gqg7-3fm9

Source

https://github.com/advisories/GHSA-cf3q-gqg7-3fm9

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-cf3q-gqg7-3fm9/GHSA-cf3q-gqg7-3fm9.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-cf3q-gqg7-3fm9

Aliases

Related

CVE-2025-30157

Published

2025-03-21T15:23:50Z

Modified

2025-03-25T08:52:35.289845Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Envoy crashes when HTTP ext_proc processes local replies

Details

Summary

Envoy's ext_proc HTTP filter is at risk of crashing if a local reply is sent to the external server due to the filter's life time issue. A known situation is the fail of a websocket handshake will trigger a local reply leading to the crash of Envoy.

PoC

If both websocket and extproc are enabled, a failed handshake will trigger a local reply, thus extproc will crash.

Mitigation

Disable websocket traffic
Change the websocket response from backend to always return 101 Switch protocol based on RFC.
Apply the patch and the extproc filter will not send the local reply that is generated by Envoy to the extproc server for processing.
Apply the patch that the router will cancel the upstream requests when sending a local reply.

Impact

Denial of service

Reporter

Vasilios Syrakis Fernando Cainelli

Database specific

{
    "nvd_published_at": "2025-03-21T15:15:43Z",
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-21T15:23:50Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-460"
    ]
}

References