Cyber Resilience

CVE-2025-25294

Medium

Published: 06 March 2025

Published
06 March 2025
Modified
04 September 2025
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS Score 0.0027 51.1th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25294 is a medium-severity Improper Output Neutralization for Logs (CWE-117) vulnerability in Envoyproxy Gateway. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Clear Linux or Mac System Logs (T1685.006); ranked in the top 48.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. In all Envoy Gateway versions prior to 1.2.7 and 1.3.1 a default Envoy Proxy access log configuration is used. This format is…

more

vulnerable to log injection attacks. If the attacker uses a specially crafted user-agent which performs json injection, then he could add and overwrite fields to the access log. This vulnerability is fixed in 1.3.1 and 1.2.7. One can overwrite the old text based default format with JSON formatter by modifying the "EnvoyProxy.spec.telemetry.accessLog" setting.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1685.006 Clear Linux or Mac System Logs Defense Impairment
Adversaries may clear system logs to hide evidence of an intrusion.
T1685.002 Disable or Modify Cloud Log Defense Impairment
An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection.
Why these techniques?

The log injection vulnerability allows remote attackers to overwrite access log fields (e.g., X-Forwarded-For) or render logs invalid JSON, impairing log integrity to hide malicious activity. This maps to clearing/modifying Linux system logs (T1070.002) and disabling/modifying cloud logs (T1562.008) in Kubernetes/Envoy environments.

Affected Assets

envoyproxy
gateway
≤ 1.2.7 · 1.3.0 — 1.3.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-117

Policy and procedures require sanitization and neutralization when generating audit logs to avoid injection issues.

addresses: CWE-117

Requiring output to conform to expected content prevents unneutralized data from reaching logs.

References