Overly Restrictive Regular Expression Affecting envoyproxy/envoy package, versions [,1.31.8)[1.32.0,1.32.6)[1.33.0,1.33.3)[1.34.0,1.34.1)


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.1% (29th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-UNMANAGED-ENVOYPROXYENVOY-10292121
  • published2 Jun 2025
  • disclosed7 May 2025
  • creditBartosz Chwila

Introduced: 7 May 2025

CVE-2025-46821  (opens in a new tab)
CWE-186  (opens in a new tab)

How to fix?

Upgrade envoyproxy/envoy to version 1.31.8, 1.32.6, 1.33.3, 1.34.1 or higher.

Overview

Affected versions of this package are vulnerable to Overly Restrictive Regular Expression due to the incorrect exclusion of the * character in the URI path matcher. An attacker can bypass RBAC rules by crafting a URI path that includes the * character.

Note:

This is only exploitable if RBAC rules are configured using the uri_template permissions.

Workaround

This vulnerability can be mitigated by configuring additional RBAC permissions using url_path with safe_regex expression.

References

CVSS Base Scores

version 4.0
version 3.1