Weiqiu Wen

**Name of the Vulnerable Software and Affected Versions** Envoy versions prior to 1.22.1 **Description** The OAuth filter implementation in Envoy does not include a mechanism for validating access tokens. By design, when the HMAC signed cookie is missing, a full authentication flow should be triggered. However, the current implementation assumes that access tokens are always validated, thus allowing access in the presence of any access token attached to the request. **Recommendations** For versions prior to 1.22.1, upgrade to version 1.22.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the OAuth filter implementation until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Envoy versions prior to 1.22.1 **Description** The issue arises when the OAuth filter attempts to invoke remaining filters in the chain after a local response has been emitted. This can trigger an ASSERT() in newer versions and corrupt memory in earlier versions. The `continueDecoding()` function should not be called from filters after a local reply has been sent. There are no known workarounds for this issue. **Recommendations** For versions prior to 1.22.1, users are advised to upgrade to version 1.22.1 or later to resolve the issue. As a temporary workaround, consider disabling the OAuth filter until a patch is available. Restrict access to the affected `continueDecoding()` function to minimize the risk of exploitation.