Flow Control Management Vulnerability in Envoy Proxy by Envoy
CVE-2025-62409

6.6MEDIUM

Key Information:

Vendor: Envoyproxy
Status: Envoy
Vendor: CVE Published:; 16 October 2025

What is CVE-2025-62409?

The Envoy Proxy, a cloud-native edge and service proxy, has a vulnerability related to flow control management that can lead to TCP connection pool crashes. This issue arises when a connection is closing while upstream data continues to flow, causing a null reference in the buffer watermark callback. Affected scenarios include TCP proxy and HTTP/1 & 2 mixed usage with ALPN. The issue is addressed in versions 1.36.1, 1.35.5, 1.34.9, and 1.33.10.

Affected Version(s)

envoy >= 1.36.0, < 1.36.1 < 1.36.0, 1.36.1

envoy >= 1.35.0, < 1.35.5 < 1.35.0, 1.35.5

envoy >= 1.34.0, < 1.34.9 < 1.34.0, 1.34.9

References

https://github.com/envoyproxy/envoy/security/advisories/G...

x_refsource_CONFIRM

CVSS V4

Score:

6.6

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 16, 2025
Vulnerability Reserved
Oct 13, 2025

JSON

Envoyproxy

What is CVE-2025-62409?

Affected Version(s)

References

CVSS V4

Timeline