CVE-2025-24030

Name of the Vulnerable Software and Affected Versions Envoy Gateway versions prior to 1.2.6

Description A user with access to the Kubernetes cluster can use a path traversal attack to execute Envoy Admin interface commands on proxies managed by Envoy Gateway. The admin interface can be used to terminate the Envoy process and extract the Envoy configuration, which may contain confidential data. The EnvoyProxy API can be used to apply a bootstrap config patch that restricts access strictly to the prometheus stats endpoint, such as the "/stats/prometheus" endpoint. For example, the following command can be used to get the configuration dump of the proxy: curl --path-as-is http://<Proxy-Service-ClusterIP>:19001/stats/prometheus/../../config dump.

Recommendations For versions prior to 1.2.6, update to version 1.2.6 to fix the issue. As a temporary workaround, consider using the EnvoyProxy API to apply a bootstrap config patch that restricts access strictly to the prometheus stats endpoint. Restrict access to the /stats/prometheus endpoint to minimize the risk of exploitation. Apply a bootstrap config patch, such as the provided JSONPatch example, to restrict access to the prometheus stats endpoint.