Envoy crashes when JWT authentication is configured with the remote...

6.5 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Description

Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, Envoy crashes when JWT authentication is configured with the remote JWKS fetching, allow_missing_or_failed is enabled, multiple JWT tokens are present in the request headers and the JWKS fetch fails. This is caused by a re-entry bug in the JwksFetcherImpl. When the first token's JWKS fetch fails, onJwksError() callback triggers processing of the second token, which calls fetch() again on the same fetcher object. The original callback's reset() then clears the second fetch's state (receiver_ and request_) which causes a crash when the async HTTP response arrives.

Basic Information

ID CVE-2025-64527

Source GitHub_M

Published Dec 3, 2025 at 18:04

Modified Dec 3, 2025 at 20:18

Affected Product

Vendor envoyproxy

Product envoy

Version >= 1.36.0, <= 1.36.2

Affected Versions envoyproxy envoy >= 1.36.0, <= 1.36.2
envoyproxy envoy >= 1.35.0, <= 1.35.6
envoyproxy envoy >= 1.34.0, <= 1.34.10
envoyproxy envoy <= 1.33.12

CWE Classification

CWE-476

References

github.com /envoyproxy/envoy/security/advisories/GHSA-mp85-7mrq-r866

{
    "lastseen": "",
    "description": "Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, Envoy crashes when JWT authentication is configured with the remote JWKS fetching, allow_missing_or_failed is enabled, multiple JWT tokens are present in the request headers and the JWKS fetch fails. This is caused by a re-entry bug in the JwksFetcherImpl. When the first token's JWKS fetch fails, onJwksError() callback triggers processing of the second token, which calls fetch() again on the same fetcher object. The original callback's reset() then clears the second fetch's state (receiver_ and request_) which causes a crash when the async HTTP response arrives.",
    "published": "2025-12-03T18:04:35.160Z",
    "modified": "2025-12-03T20:18:19.588Z",
    "type": "cve",
    "title": "Envoy crashes when JWT authentication is configured with the remote JWKS fetching",
    "source": "GitHub_M",
    "references": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-mp85-7mrq-r866",
    "id": "CVE-2025-64527",
    "bulletinFamily": "",
    "cwe": [
        "CWE-476"
    ],
    "cvelist": null,
    "sourceData": "envoyproxy envoy >= 1.36.0, <= 1.36.2\nenvoyproxy envoy >= 1.35.0, <= 1.35.6\nenvoyproxy envoy >= 1.34.0, <= 1.34.10\nenvoyproxy envoy <= 1.33.12",
    "sourceHref": "",
    "cvss": {
        "score": 6.5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "envoy",
    "version": ">= 1.36.0, <= 1.36.2",
    "vendor": "envoyproxy",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Envoy crashes when JWT authentication is configured with the remote JWKS fetching_CVE-2025-64527