Path Traversal Vulnerability in Envoy Gateway by EnvoyProxy
CVE-2025-24030

7.1HIGH

Key Information:

Vendor

Envoyproxy

Status
Gateway
Vendor
CVE Published:
23 January 2025

What is CVE-2025-24030?

A path traversal vulnerability has been identified in Envoy Gateway, which is designed for managing Envoy Proxy in standalone or Kubernetes environments. This issue allows a user with access to the Kubernetes cluster to exploit the Envoy Admin interface via a path traversal attack, which can result in unauthorized command execution on the proxies managed by the affected version of Envoy Gateway. An attacker could potentially terminate the Envoy process and extract configuration details, including sensitive information. The vulnerability is addressed in version 1.2.6, with mitigation strategies suggesting the use of bootstrap config patches to limit access to essential endpoints only.

Affected Version(s)

gateway < 1.2.6

References

https://github.com/envoyproxy/gateway/security/advisories...
x_refsource_CONFIRM
https://github.com/envoyproxy/gateway/commit/3eb3301ab3db...
x_refsource_MISC
https://www.envoyproxy.io/docs/envoy/latest/configuration...
x_refsource_MISC

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.