x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2025-46821 #3673

GoVulnBot · 2025-05-07T23:01:22Z

Advisory CVE-2025-46821 references a vulnerability in the following Go modules:

Module
github.com/envoyproxy/envoy

Description:
Envoy is a cloud-native edge/middle/service proxy. Prior to versions 1.34.1, 1.33.3, 1.32.6, and 1.31.8, Envoy's URI template matcher incorrectly excludes the * character from a set of valid characters in the URI path. As a result URI path containing the * character will not match a URI template expressions. This can result in bypass of RBAC rules when configured using the uri_template permissions. This vulnerability is fixed in Envoy versions v1.34.1, v1.33.3, v1.32.6, v1.31.8. As a workaround, configure additional RBAC permissions using url_path with safe_regex expression.

References:

ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-46821
WEB: GHSA-c7cm-838g-6g67

Cross references:

github.com/envoyproxy/envoy appears in 70 other report(s):
- data/excluded/GO-2022-0330.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2021-43824 #330) NOT_GO_CODE
- data/excluded/GO-2022-0331.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2021-43825 #331) NOT_GO_CODE
- data/excluded/GO-2022-0332.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2021-43826 #332) NOT_GO_CODE
- data/excluded/GO-2022-0333.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-21654 #333) NOT_GO_CODE
- data/excluded/GO-2022-0334.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-21655 #334) NOT_GO_CODE
- data/excluded/GO-2022-0335.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-21656 #335) NOT_GO_CODE
- data/excluded/GO-2022-0336.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-21657 #336) NOT_GO_CODE
- data/excluded/GO-2022-0337.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-23606 #337) NOT_GO_CODE
- data/excluded/GO-2022-0484.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-29224 #484) NOT_GO_CODE
- data/excluded/GO-2022-0485.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-29225 #485) NOT_GO_CODE
- data/excluded/GO-2022-0486.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-29226 #486) NOT_GO_CODE
- data/excluded/GO-2022-0487.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-29227 #487) NOT_GO_CODE
- data/excluded/GO-2022-0488.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-29228 #488) NOT_GO_CODE
- data/excluded/GO-2023-1690.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-27487 #1690) NOT_GO_CODE
- data/excluded/GO-2023-1691.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-27488 #1691) NOT_GO_CODE
- data/excluded/GO-2023-1692.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-27491 #1692) NOT_GO_CODE
- data/excluded/GO-2023-1693.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-27492 #1693) NOT_GO_CODE
- data/excluded/GO-2023-1694.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-27493 #1694) NOT_GO_CODE
- data/excluded/GO-2023-1695.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-27496 #1695) NOT_GO_CODE
- data/excluded/GO-2023-1917.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-35945 #1917) NOT_GO_CODE
- data/excluded/GO-2023-1921.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: GHSA-2wmf-p7f8-w42h #1921) NOT_GO_CODE
- data/excluded/GO-2023-1966.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-35941 #1966) NOT_GO_CODE
- data/excluded/GO-2023-1968.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-35942 #1968) NOT_GO_CODE
- data/excluded/GO-2023-1969.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-35943 #1969) NOT_GO_CODE
- data/excluded/GO-2023-1970.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-35944 #1970) NOT_GO_CODE
- data/excluded/GO-2023-2106.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-44487 #2106) NOT_GO_CODE
- data/excluded/GO-2023-2242.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2019-15226 #2242) LEGACY_FALSE_POSITIVE
- data/excluded/GO-2023-2247.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2019-18801 #2247) LEGACY_FALSE_POSITIVE
- data/excluded/GO-2023-2248.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2019-18802 #2248) LEGACY_FALSE_POSITIVE
- data/excluded/GO-2023-2249.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2019-18836 #2249) LEGACY_FALSE_POSITIVE
- data/excluded/GO-2023-2250.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2019-18838 #2250) LEGACY_FALSE_POSITIVE
- data/excluded/GO-2023-2260.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2019-9900 #2260) LEGACY_FALSE_POSITIVE
- data/excluded/GO-2023-2273.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2020-12603 #2273) LEGACY_FALSE_POSITIVE
- data/excluded/GO-2023-2274.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2020-12604 #2274) LEGACY_FALSE_POSITIVE
- data/excluded/GO-2023-2275.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2020-12605 #2275) LEGACY_FALSE_POSITIVE
- data/excluded/GO-2023-2279.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2020-15104 #2279) LEGACY_FALSE_POSITIVE
- data/excluded/GO-2023-2291.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2020-25017 #2291) LEGACY_FALSE_POSITIVE
- data/excluded/GO-2023-2292.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2020-25018 #2292) LEGACY_FALSE_POSITIVE
- data/excluded/GO-2023-2301.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2020-35470 #2301) LEGACY_FALSE_POSITIVE
- data/excluded/GO-2023-2302.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2020-35471 #2302) LEGACY_FALSE_POSITIVE
- data/excluded/GO-2023-2307.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2020-8659 #2307) LEGACY_FALSE_POSITIVE
- data/excluded/GO-2023-2308.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2020-8660 #2308) LEGACY_FALSE_POSITIVE
- data/excluded/GO-2023-2309.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2020-8661 #2309) LEGACY_FALSE_POSITIVE
- data/excluded/GO-2023-2310.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2020-8663 #2310) LEGACY_FALSE_POSITIVE
- data/excluded/GO-2023-2311.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2020-8664 #2311) LEGACY_FALSE_POSITIVE
- data/excluded/GO-2024-2542.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2024-23322 #2542) NOT_GO_CODE
- data/excluded/GO-2024-2543.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2024-23323 #2543) NOT_GO_CODE
- data/excluded/GO-2024-2544.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2024-23324 #2544) NOT_GO_CODE
- data/excluded/GO-2024-2545.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2024-23325 #2545) NOT_GO_CODE
- data/excluded/GO-2024-2546.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2024-23327 #2546) NOT_GO_CODE
- data/excluded/GO-2024-2710.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2024-27919 #2710) NOT_GO_CODE
- data/excluded/GO-2024-2713.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2024-30255 #2713) NOT_GO_CODE
- data/excluded/GO-2024-2735.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2024-32475 #2735) NOT_GO_CODE
- data/excluded/GO-2024-2890.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2024-23326 #2890) NOT_GO_CODE
- data/excluded/GO-2024-2892.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2024-32974 #2892) NOT_GO_CODE
- data/excluded/GO-2024-2893.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2024-32975 #2893) NOT_GO_CODE
- data/excluded/GO-2024-2894.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2024-32976 #2894) NOT_GO_CODE
- data/excluded/GO-2024-2895.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2024-34362 #2895) NOT_GO_CODE
- data/excluded/GO-2024-2896.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2024-34363 #2896) NOT_GO_CODE
- data/excluded/GO-2024-2897.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2024-34364 #2897) NOT_GO_CODE
- data/excluded/GO-2024-2960.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2024-39305 #2960) NOT_GO_CODE
- data/excluded/GO-2024-3144.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2024-7207 #3144) NOT_GO_CODE
- data/excluded/GO-2024-3145.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2024-45806 #3145) NOT_GO_CODE
- data/excluded/GO-2024-3146.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2024-45807 #3146) NOT_GO_CODE
- data/excluded/GO-2024-3147.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2024-45808 #3147) NOT_GO_CODE
- data/excluded/GO-2024-3148.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2024-45809 #3148) NOT_GO_CODE
- data/excluded/GO-2024-3149.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2024-45810 #3149) NOT_GO_CODE
- data/excluded/GO-2024-3345.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2024-53269 #3345) NOT_GO_CODE
- data/excluded/GO-2024-3346.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2024-53270 #3346) NOT_GO_CODE
- data/excluded/GO-2024-3347.yaml (x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2024-53271 #3347) NOT_GO_CODE

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/envoyproxy/envoy
      vulnerable_at: 1.34.1
summary: CVE-2025-46821 in github.com/envoyproxy/envoy
cves:
    - CVE-2025-46821
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-46821
    - web: https://github.com/envoyproxy/envoy/security/advisories/GHSA-c7cm-838g-6g67
source:
    id: CVE-2025-46821
    created: 2025-05-07T23:01:21.653588549Z
review_status: UNREVIEWED

The text was updated successfully, but these errors were encountered:

GoVulnBot added NeedsTriage cve-year-2025 labels May 7, 2025

thatnealpatel added possibly not Go triaged and removed NeedsTriage labels May 13, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2025-46821 #3673

x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2025-46821 #3673

GoVulnBot commented May 7, 2025

x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2025-46821 #3673

x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2025-46821 #3673

Comments

GoVulnBot commented May 7, 2025