Envoy Proxy: Malicious Headers Can Bypass Security Rules

Summary

If you're using an older version of Envoy, attackers could send multiple headers to trick the system into allowing access. This could let them bypass security rules that are meant to restrict access to certain areas of your network. Update to Envoy 1.37.1, 1.36.5, 1.35.8, or 1.34.13 to fix this issue.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
envoyproxy	envoy	<= 1.34.13	–
envoyproxy	envoy	> 1.35.0 , <= 1.35.8	–
envoyproxy	envoy	> 1.36.0 , <= 1.36.5	–
envoyproxy	envoy	1.37.0	–
github.com	envoyproxy	1.37.0	–
github.com	envoyproxy	> 1.36.0 , <= 1.36.4	–
github.com	envoyproxy	> 1.35.0 , <= 1.35.8	–
github.com	envoyproxy	<= 1.34.12	–
envoyproxy	github.com/envoyproxy/envoy	All versions	–
envoyproxy	github.com/envoyproxy/envoy	> 1.36.0 , <= 1.36.4	–
envoyproxy	github.com/envoyproxy/envoy	> 1.35.0 , <= 1.35.8	–
envoyproxy	github.com/envoyproxy/envoy	<= 1.34.12	–

Original title

Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, the Envoy RBAC (Role-Based Access Control) filter contains a logic vulnerability in how it valid...

Original description

Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, the Envoy RBAC (Role-Based Access Control) filter contains a logic vulnerability in how it validates HTTP headers when multiple values are present for the same header name. Instead of validating each header value individually, Envoy concatenates all values into a single comma-separated string. This behavior allows attackers to bypass RBAC policies—specifically "Deny" rules—by sending duplicate headers, effectively obscuring the malicious value from exact-match mechanisms. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.

ghsa CVSS3.1 7.5

Vulnerability type

CWE-20 Improper Input Validation

CWE-863 Incorrect Authorization