CVE-2025-64527

Name of the Vulnerable Software and Affected Versions Envoy versions 1.33.12 through 1.36.2

Description Envoy, a high-performance edge/middle/service proxy, experiences crashes when JWT authentication is configured with remote JWKS fetching enabled, allow missing or failed is set to true, multiple JWT tokens are present in the request headers, and the JWKS fetch fails. This issue stems from a re-entry bug within the JwksFetcherImpl component. Specifically, when the initial token's JWKS fetch fails, the onJwksError() callback initiates processing of the subsequent token, triggering another fetch() call on the same fetcher object. The subsequent reset() operation then clears the state of the second fetch, leading to a crash upon the arrival of the asynchronous HTTP response.

Recommendations Update to a version later than 1.36.2.