CVE-2025-64763

Name of the Vulnerable Software and Affected Versions Envoy versions 1.33.12 through 1.36.2

Description Envoy, a high-performance edge/middle/service proxy, has an issue when configured in TCP proxy mode to handle CONNECT requests. It accepts client data before issuing a 2xx response and forwards this data to the upstream TCP connection. If a forwarding proxy upstream from Envoy responds with a non-2xx status, this can cause a de-synchronized CONNECT tunnel state. By default, Envoy continues to allow early CONNECT data to avoid disrupting existing deployments. The envoy.reloadable features.reject early connect data runtime flag can be set to reject CONNECT requests that send data before a 2xx response when intermediaries upstream from Envoy may reject establishment of a CONNECT tunnel.

Recommendations Set the envoy.reloadable features.reject early connect data runtime flag to reject CONNECT requests that send data before a 2xx response.