TCP Proxy Mode Vulnerability in Envoy Proxy by Envoy Proxy Maintainers
CVE-2025-64763

3.7LOW

Key Information:

Vendor: Envoyproxy
Status: Envoy
Vendor: CVE Published:; 3 December 2025

What is CVE-2025-64763?

The Envoy Proxy, when configured in TCP proxy mode to manage CONNECT requests, improperly accepts client data prior to issuing a 2xx response. This behavior can lead to severe desynchronization in the CONNECT tunnel state when an upstream forwarding proxy responds with a non-2xx status. While Envoy is designed to allow early CONNECT data to maintain compatibility with existing deployments, users can mitigate risks by enabling the envoy.reloadable_features.reject_early_connect_data runtime flag, which rejects such requests and improves state consistency.

Affected Version(s)

envoy >= 1.36.0, <= 1.36.2 <= 1.36.0, 1.36.2

envoy >= 1.35.0, <= 1.35.6 <= 1.35.0, 1.35.6

envoy >= 1.34.0, <= 1.34.10 <= 1.34.0, 1.34.10

References

https://github.com/envoyproxy/envoy/security/advisories/G...

x_refsource_CONFIRM

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 3, 2025
Vulnerability Reserved
Nov 10, 2025

JSON

Envoyproxy

What is CVE-2025-64763?

Affected Version(s)

References

CVSS V3.1

Timeline