Vulnerability-Lookup

CVE-2025-24030 (GCVE-0-2025-24030)

Vulnerability from cvelistv5 – Published: 2025-01-23 03:20 – Updated: 2025-01-23 14:58

Title

Envoy Admin Interface Exposed through prometheus metrics endpoint

Summary

Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. A user with access to the Kubernetes cluster can use a path traversal attack to execute Envoy Admin interface commands on proxies managed by any version of Envoy Gateway prior to 1.2.6. The admin interface can be used to terminate the Envoy process and extract the Envoy configuration (possibly containing confidential data). Version 1.2.6 fixes the issue. As a workaround, the `EnvoyProxy` API can be used to apply a bootstrap config patch that restricts access strictly to the prometheus stats endpoint. Find below an example of such a bootstrap patch.

Severity ?

7.1 (High)


                        
                          CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

CWE

CWE-419 - Unprotected Primary Channel

Assigner

GitHub_M

References

URL

Tags

	https://github.com/envoyproxy/gateway/security/ad…	x_refsource_CONFIRM
	https://github.com/envoyproxy/gateway/commit/3eb3…	x_refsource_MISC
	https://www.envoyproxy.io/docs/envoy/latest/confi…	x_refsource_MISC
	https://www.envoyproxy.io/docs/envoy/latest/opera…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	envoyproxy	gateway	Affected: < 1.2.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-24030",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-23T14:58:52.009540Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-23T14:58:59.485Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "gateway",
          "vendor": "envoyproxy",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.2.6"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. A user with access to the Kubernetes cluster can use a path traversal attack to execute Envoy Admin interface commands on proxies managed by any version of Envoy Gateway prior to 1.2.6. The admin interface can be used to terminate the Envoy process and extract the Envoy configuration (possibly containing confidential data). Version 1.2.6 fixes the issue. As a workaround, the `EnvoyProxy` API can be used to apply a bootstrap config patch that restricts access strictly to the prometheus stats endpoint. Find below an example of such a bootstrap patch."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-419",
              "description": "CWE-419: Unprotected Primary Channel",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-23T03:20:27.802Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/envoyproxy/gateway/security/advisories/GHSA-j777-63hf-hx76",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/envoyproxy/gateway/security/advisories/GHSA-j777-63hf-hx76"
        },
        {
          "name": "https://github.com/envoyproxy/gateway/commit/3eb3301ab3dbf12b201b47bdb6074d1233be07bd",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/envoyproxy/gateway/commit/3eb3301ab3dbf12b201b47bdb6074d1233be07bd"
        },
        {
          "name": "https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge"
        },
        {
          "name": "https://www.envoyproxy.io/docs/envoy/latest/operations/admin",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.envoyproxy.io/docs/envoy/latest/operations/admin"
        }
      ],
      "source": {
        "advisory": "GHSA-j777-63hf-hx76",
        "discovery": "UNKNOWN"
      },
      "title": "Envoy Admin Interface Exposed through prometheus metrics endpoint"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-24030",
    "datePublished": "2025-01-23T03:20:27.802Z",
    "dateReserved": "2025-01-16T17:31:06.460Z",
    "dateUpdated": "2025-01-23T14:58:59.485Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-24030\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-01-23T14:58:52.009540Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-01-23T14:58:55.684Z\"}}], \"cna\": {\"title\": \"Envoy Admin Interface Exposed through prometheus metrics endpoint\", \"source\": {\"advisory\": \"GHSA-j777-63hf-hx76\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.1, \"attackVector\": \"ADJACENT_NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"envoyproxy\", \"product\": \"gateway\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.2.6\"}]}], \"references\": [{\"url\": \"https://github.com/envoyproxy/gateway/security/advisories/GHSA-j777-63hf-hx76\", \"name\": \"https://github.com/envoyproxy/gateway/security/advisories/GHSA-j777-63hf-hx76\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/envoyproxy/gateway/commit/3eb3301ab3dbf12b201b47bdb6074d1233be07bd\", \"name\": \"https://github.com/envoyproxy/gateway/commit/3eb3301ab3dbf12b201b47bdb6074d1233be07bd\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge\", \"name\": \"https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://www.envoyproxy.io/docs/envoy/latest/operations/admin\", \"name\": \"https://www.envoyproxy.io/docs/envoy/latest/operations/admin\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. A user with access to the Kubernetes cluster can use a path traversal attack to execute Envoy Admin interface commands on proxies managed by any version of Envoy Gateway prior to 1.2.6. The admin interface can be used to terminate the Envoy process and extract the Envoy configuration (possibly containing confidential data). Version 1.2.6 fixes the issue. As a workaround, the `EnvoyProxy` API can be used to apply a bootstrap config patch that restricts access strictly to the prometheus stats endpoint. Find below an example of such a bootstrap patch.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-419\", \"description\": \"CWE-419: Unprotected Primary Channel\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-01-23T03:20:27.802Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-24030\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-01-23T14:58:59.485Z\", \"dateReserved\": \"2025-01-16T17:31:06.460Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-01-23T03:20:27.802Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-J777-63HF-HX76

Vulnerability from github – Published: 2025-01-23 17:51 – Updated: 2025-01-23 17:51

Summary

Envoy Admin Interface Exposed through prometheus metrics endpoint

Details

Impact

A user with access to a Kubernetes cluster where Envoy Gateway is installed can use a path traversal attack to execute Envoy Admin interface commands on proxies managed by Envoy Gateway. The admin interface can be used to terminate the Envoy process and extract the Envoy configuration (possibly containing confidential data).

For example, the following command, if run from within the Kubernetes cluster, can be used to get the configuration dump of the proxy:

curl --path-as-is http://<Proxy-Service-ClusterIP>:19001/stats/prometheus/../../config_dump

Patches

1.2.6

Workarounds

The EnvoyProxy API can be used to apply a bootstrap config patch that restricts access strictly to the prometheus stats endpoint. Find below an example of such a bootstrap patch.

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyProxy
metadata:
  name: custom-proxy-config
  namespace: default
spec:
  bootstrap:
    type: JSONPatch
    jsonPatches:
    - op: "add"
      path: "/static_resources/listeners/0/filter_chains/0/filters/0/typed_config/normalize_path"
      value: true
    - op: "replace"
      path: "/static_resources/listeners/0/filter_chains/0/filters/0/typed_config/route_config/virtual_hosts/0/routes/0/match"
      value:
        path: "/stats/prometheus"
        headers:
          - name: ":method"
            exact_match: GET

References

Envoy Admin Interface: https://www.envoyproxy.io/docs/envoy/latest/operations/admin
Envoy Configuration Best Practices: https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge

Severity ?

7.1 (High)


                  
                    CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/envoyproxy/gateway"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-24030"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-419"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-23T17:51:08Z",
    "nvd_published_at": "2025-01-23T04:15:07Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nA user with access to a Kubernetes cluster where Envoy Gateway is installed can use a path traversal attack to execute Envoy Admin interface commands on proxies managed by Envoy Gateway. The admin interface can be used to terminate the Envoy process and extract the Envoy configuration (possibly containing confidential data). \n\nFor example, the following command, if run from within the Kubernetes cluster, can be used to get the configuration dump of the proxy:\n```\ncurl --path-as-is http://\u003cProxy-Service-ClusterIP\u003e:19001/stats/prometheus/../../config_dump\n```\n### Patches\n1.2.6\n\n### Workarounds\nThe `EnvoyProxy` API can be used to apply a bootstrap config patch that restricts access strictly to the prometheus stats endpoint. Find below an example of such a bootstrap patch. \n\n```\napiVersion: gateway.envoyproxy.io/v1alpha1\nkind: EnvoyProxy\nmetadata:\n  name: custom-proxy-config\n  namespace: default\nspec:\n  bootstrap:\n    type: JSONPatch\n    jsonPatches:\n    - op: \"add\"\n      path: \"/static_resources/listeners/0/filter_chains/0/filters/0/typed_config/normalize_path\"\n      value: true\n    - op: \"replace\"\n      path: \"/static_resources/listeners/0/filter_chains/0/filters/0/typed_config/route_config/virtual_hosts/0/routes/0/match\"\n      value:\n        path: \"/stats/prometheus\"\n        headers:\n          - name: \":method\"\n            exact_match: GET\n```\n\n### References\n- Envoy Admin Interface: https://www.envoyproxy.io/docs/envoy/latest/operations/admin\n- Envoy Configuration Best Practices: https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge",
  "id": "GHSA-j777-63hf-hx76",
  "modified": "2025-01-23T17:51:08Z",
  "published": "2025-01-23T17:51:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/envoyproxy/gateway/security/advisories/GHSA-j777-63hf-hx76"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24030"
    },
    {
      "type": "WEB",
      "url": "https://github.com/envoyproxy/gateway/commit/3eb3301ab3dbf12b201b47bdb6074d1233be07bd"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/envoyproxy/gateway"
    },
    {
      "type": "WEB",
      "url": "https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge"
    },
    {
      "type": "WEB",
      "url": "https://www.envoyproxy.io/docs/envoy/latest/operations/admin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Envoy Admin Interface Exposed through prometheus metrics endpoint"
}

FKIE_CVE-2025-24030

Vulnerability from fkie_nvd - Published: 2025-01-23 04:15 - Updated: 2025-09-04 14:02

Severity ?

7.1 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/envoyproxy/gateway/commit/3eb3301ab3dbf12b201b47bdb6074d1233be07bd	Patch
security-advisories@github.com	https://github.com/envoyproxy/gateway/security/advisories/GHSA-j777-63hf-hx76	Mitigation, Third Party Advisory
security-advisories@github.com	https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge	Product
security-advisories@github.com	https://www.envoyproxy.io/docs/envoy/latest/operations/admin	Product

Impacted products

	Vendor	Product	Version
	envoyproxy	gateway	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:envoyproxy:gateway:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "0526026F-EB95-485C-A5AF-D1C02FD192C8",
              "versionEndExcluding": "1.2.6",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. A user with access to the Kubernetes cluster can use a path traversal attack to execute Envoy Admin interface commands on proxies managed by any version of Envoy Gateway prior to 1.2.6. The admin interface can be used to terminate the Envoy process and extract the Envoy configuration (possibly containing confidential data). Version 1.2.6 fixes the issue. As a workaround, the `EnvoyProxy` API can be used to apply a bootstrap config patch that restricts access strictly to the prometheus stats endpoint. Find below an example of such a bootstrap patch."
    },
    {
      "lang": "es",
      "value": "Envoy Gateway es un proyecto de c\u00f3digo abierto para administrar Envoy Proxy como una puerta de enlace de aplicaciones independiente o basada en Kubernetes. Un usuario con acceso al cl\u00faster de Kubernetes puede usar un ataque de recorrido de ruta para ejecutar comandos de la interfaz de administraci\u00f3n de Envoy en servidores proxy administrados por cualquier versi\u00f3n de Envoy Gateway anterior a la 1.2.6. La interfaz de administraci\u00f3n se puede usar para finalizar el proceso de Envoy y extraer la configuraci\u00f3n de Envoy (que posiblemente contenga datos confidenciales). La versi\u00f3n 1.2.6 soluciona el problema. Como workaround, se puede usar la API `EnvoyProxy` para aplicar un parche de configuraci\u00f3n de arranque que restrinja el acceso estrictamente al endpoint de estad\u00edsticas de Prometheus. A continuaci\u00f3n, encontrar\u00e1 un ejemplo de un parche de arranque de este tipo."
    }
  ],
  "id": "CVE-2025-24030",
  "lastModified": "2025-09-04T14:02:18.040",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "ADJACENT_NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 4.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-01-23T04:15:07.100",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/envoyproxy/gateway/commit/3eb3301ab3dbf12b201b47bdb6074d1233be07bd"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mitigation",
        "Third Party Advisory"
      ],
      "url": "https://github.com/envoyproxy/gateway/security/advisories/GHSA-j777-63hf-hx76"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product"
      ],
      "url": "https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product"
      ],
      "url": "https://www.envoyproxy.io/docs/envoy/latest/operations/admin"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-419"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-24030 (GCVE-0-2025-24030)

GHSA-J777-63HF-HX76

Impact

Patches

Workarounds

References

FKIE_CVE-2025-24030

Tags

Sightings

Nomenclature