CVE-2025-30157
Published: 21 March 2025
Summary
CVE-2025-30157 is a medium-severity Improper Cleanup on Thrown Exception (CWE-460) vulnerability in Envoyproxy Envoy. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 9.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-5 (Denial-of-service Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely identification, reporting, and patching of software flaws like the Envoy ext_proc filter lifetime issue causing crashes.
Implements denial-of-service protections at network boundaries to mitigate crash-based availability impacts from triggers like failed WebSocket handshakes.
Enables continuous monitoring to identify anomalous crashes or DoS conditions resulting from exploitation of the ext_proc filter vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability directly enables exploitation of the Envoy proxy application to trigger a crash and denial-of-service condition, matching T1499.004 Application or System Exploitation.
NVD Description
Envoy is a cloud-native high-performance edge/middle/service proxy. Prior to 1.33.1, 1.32.4, 1.31.6, and 1.30.10, Envoy's ext_proc HTTP filter is at risk of crashing if a local reply is sent to the external server due to the filter's life time issue.…
more
A known situation is the failure of a websocket handshake will trigger a local reply leading to the crash of Envoy. This vulnerability is fixed in 1.33.1, 1.32.4, 1.31.6, and 1.30.10.
Deeper analysisAI
CVE-2025-30157 is a vulnerability in Envoy, a cloud-native high-performance edge/middle/service proxy, specifically affecting the ext_proc HTTP filter in versions prior to 1.33.1, 1.32.4, 1.31.6, and 1.30.10. The issue stems from a filter lifetime problem that causes Envoy to crash when a local reply is sent to the external server. A known trigger is the failure of a WebSocket handshake, which generates such a local reply and leads to the crash. It is associated with CWE-460 and has a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H).
An attacker with network access to an affected Envoy instance can exploit this vulnerability with low attack complexity, though it requires user interaction. No privileges are needed from the attacker. Exploitation triggers a denial-of-service condition by crashing the Envoy process, with no impact on confidentiality or integrity.
Mitigation is available through upgrades to Envoy versions 1.33.1, 1.32.4, 1.31.6, or 1.30.10, which address the filter lifetime issue. Additional details are provided in the Envoy security advisory (GHSA-cf3q-gqg7-3fm9) and the fixing commit (8eda1b8ef5ba8663d16a737ab99458c039a9b53c).
Details
- CWE(s)