Ggreenway

**Name of the Vulnerable Software and Affected Versions** Envoy versions prior to 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9 **Description** The issue concerns escalation of privileges when `failure mode allow: true` is configured for the `ext authz` filter in Envoy, an open source edge and service proxy. This can occur when Envoy receives an HTTP header with non-UTF-8 data and is configured to use certain filters and services. As a result, Envoy may generate an invalid protobuf message, leading to unforeseen errors, including a lack of visibility into requests. In versions 1.26.0 and later, Envoy sanitizes values sent in gRPC service calls to be valid UTF-8 by default. **Recommendations** For versions prior to 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, update to version 1.26.0, 1.25.3, 1.24.4, 1.23.6, or 1.22.9 to resolve the issue. As a temporary workaround, set `failure mode allow: false` for the `ext authz` filter. To temporarily revert the behavioral change of sanitizing non-UTF-8 strings in gRPC service calls, set the runtime guard `envoy.reloadable features.service sanitize non utf8 strings` to false.