CVE-2025-25294
Published: 06 March 2025
Summary
CVE-2025-25294 is a medium-severity Improper Output Neutralization for Logs (CWE-117) vulnerability in Envoyproxy Gateway. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Clear Linux or Mac System Logs (T1685.006); ranked in the top 48.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7667
Vulnerability details
Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. In all Envoy Gateway versions prior to 1.2.7 and 1.3.1 a default Envoy Proxy access log configuration is used. This format is…
more
vulnerable to log injection attacks. If the attacker uses a specially crafted user-agent which performs json injection, then he could add and overwrite fields to the access log. This vulnerability is fixed in 1.3.1 and 1.2.7. One can overwrite the old text based default format with JSON formatter by modifying the "EnvoyProxy.spec.telemetry.accessLog" setting.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The log injection vulnerability allows remote attackers to overwrite access log fields (e.g., X-Forwarded-For) or render logs invalid JSON, impairing log integrity to hide malicious activity. This maps to clearing/modifying Linux system logs (T1070.002) and disabling/modifying cloud logs (T1562.008) in Kubernetes/Envoy environments.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.