PT-2026-60687 · Go · Github.Com/Envoyproxy/Ai-Gateway
CVE-2026-53715
·
Published
2026-07-16
·
Updated
2026-07-16
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H |
Vulnerability report without repro case. Repro case may be added later after harness is complete.
Preconditions (4):
- Pod-network reachability to :18002 (no auth)
- Tenant can create EnvoyExtensionPolicy (baseline)
- Attacker pod floods GET while churning EnvoyExtensionPolicy with distinct Wasm URLs
- Read at :153 must overlap a write at :201/:209 (probabilistic, attacker controls both rates)
Description:
httpserver.go:153 reads s.mappingPath2Cache with no lock while httpserver.go:201/209 write it under s.Lock(); the struct uses a plain map. Writer is tenant-reachable via EnvoyExtensionPolicy translation, reader is pod-network-reachable on :18002 with per-request goroutines. Go's concurrent map read+write detection calls runtime.throw, which net/http's per-conn recover cannot catch, so the controller process exits — cross-tenant control-plane DoS. Capped at MEDIUM: DoS-only, k8s restarts pod, timing-dependent trigger.
Fix
Race Condition
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Github.Com/Envoyproxy/Ai-Gateway