CVE-2025-24030

High

Published: 23 January 2025

Published

23 January 2025

Modified

04 September 2025

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

EPSS Score 0.0018 39.3th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24030 is a high-severity Unprotected Primary Channel (CWE-419) vulnerability in Envoyproxy Gateway. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 39.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation of Remote Services (T1210) and 2 other techniques. AI-specific risk: MITRE ATLAS Valid Accounts (AML.T0012) plus 2 more. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely remediation of the path traversal flaw by applying the fix in Envoy Gateway version 1.2.6 directly prevents exploitation of the vulnerability.

CM-6 Configuration Settings good match

prevent

Establishing secure configuration settings, such as the bootstrap patch restricting Envoy Admin interface access to only the Prometheus stats endpoint, mitigates unauthorized command execution.

SI-10 Information Input Validation good match

prevent

Validating inputs to prevent path traversal attacks directly addresses the core mechanism allowing execution of Envoy Admin commands.

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

T1489 Service Stop Impact

Adversaries may stop or disable services on a system to render those services unavailable to legitimate users.

attack.mitre.org →

T1602.002 Network Device Configuration Dump Collection

Adversaries may access network configuration files to collect sensitive data about the device and the network.

attack.mitre.org →

Why these techniques?

Path traversal via Prometheus metrics endpoint enables exploitation of the Envoy Admin interface (T1210), process termination (T1489), and extraction of proxy configuration data (T1602.002).

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

NVD Description

Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. A user with access to the Kubernetes cluster can use a path traversal attack to execute Envoy Admin interface commands on proxies…

managed by any version of Envoy Gateway prior to 1.2.6. The admin interface can be used to terminate the Envoy process and extract the Envoy configuration (possibly containing confidential data). Version 1.2.6 fixes the issue. As a workaround, the `EnvoyProxy` API can be used to apply a bootstrap config patch that restricts access strictly to the prometheus stats endpoint. Find below an example of such a bootstrap patch.

Deeper analysisAI

CVE-2025-24030 is a path traversal vulnerability in Envoy Gateway, an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. It affects all versions of Envoy Gateway prior to 1.2.6, allowing unauthorized execution of commands on the Envoy Admin interface of managed proxies. The issue is classified under CWE-419 (Unrestricted Upload of File with Dangerous Type) with a CVSS v3.1 base score of 7.1 (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H), highlighting high availability impact alongside low confidentiality risk.

A user with access to the Kubernetes cluster can exploit this vulnerability via a path traversal attack to invoke Envoy Admin interface commands on affected proxies. Successful exploitation enables termination of the Envoy process, causing denial of service, and extraction of the Envoy configuration, which may contain confidential data.

Version 1.2.6 of Envoy Gateway resolves the vulnerability. As a workaround, administrators can use the EnvoyProxy API to apply a bootstrap configuration patch that restricts Admin interface access strictly to the Prometheus stats endpoint. Additional details are available in the Envoy Gateway security advisory (GHSA-j777-63hf-hx76) and the fixing commit (3eb3301ab3dbf12b201b47bdb6074d1233be07bd), along with Envoy documentation on edge best practices and Admin interface operations.

Details

CWE(s): CWE-419

Affected Products

envoyproxy

gateway

≤ 1.2.6

CVEs Like This One

CVE-2026-22771Same product: Envoyproxy Gateway

CVE-2025-30157Same vendor: Envoyproxy

CVE-2026-26308Same vendor: Envoyproxy

CVE-2026-26310Same vendor: Envoyproxy

CVE-2026-26330Same vendor: Envoyproxy

References

https://github.com/envoyproxy/gateway/commit/3eb3301ab3dbf12b201b47bdb6074d1233be07bd
Patch · security-advisories@github.com
https://github.com/envoyproxy/gateway/security/advisories/GHSA-j777-63hf-hx76
Mitigation, Third Party Advisory · security-advisories@github.com
https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge
Product · security-advisories@github.com
https://www.envoyproxy.io/docs/envoy/latest/operations/admin
Product · security-advisories@github.com