Protection Mechanism Failure Affecting envoyproxy/envoy package, versions [1.8.0, 1.33.13)[1.34.0, 1.34.11)[1.35.0,]
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-UNMANAGED-ENVOYPROXYENVOY-14176096
- published4 Dec 2025
- disclosed3 Dec 2025
- creditPatrick Smith
Introduced: 3 Dec 2025
NewCVE-2025-64763 (opens in a new tab)Common Vulnerabilities and Exposures (CVE) are common identifiers for publicly known security vulnerabilities
Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
A fix was pushed into the master branch but not yet published.
Overview
Affected versions of this package are vulnerable to Protection Mechanism Failure in the handling of TCP proxy mode. An attacker can cause a desynchronized tunnel state between the proxy and upstream servers by sending data for a CONNECT request before a 2xx response is issued, which is then forwarded upstream even if the tunnel is not successfully established.
Notes:
- To prevent disruption to existing deployments, early CONNECT data will still be allowed. Fixing this vulnerability requires setting the
envoy.reloadable_features.reject_early_connect_dataruntime flag to true after updating. - The fix for this vulnerability should also be included in v1.35.7 and v1.36.3; however, at the time of updating this advisory, those were not released yet.