Description

Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, when Envoy is configured in TCP proxy mode to handle CONNECT requests, it accepts client data before issuing a 2xx response and forwards that data to the upstream TCP connection. If a forwarding proxy upstream from Envoy then responds with a non-2xx status, this can cause a de-synchronized CONNECT tunnel state. By default Envoy continues to allow early CONNECT data to avoid disrupting existing deployments. The envoy.reloadable_features.reject_early_connect_data runtime flag can be set to reject CONNECT requests that send data before a 2xx response when intermediaries upstream from Envoy may reject establishment of a CONNECT tunnel.

INFO

Published Date :

2025-12-03T18:13:58.496Z

Last Modified :

2025-12-03T20:02:40.284Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-64763 vulnerability.

Vendors Products
Envoyproxy
  • Envoy
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-64763.

URL Resource
https://github.com/envoyproxy/envoy/security/advisories/GHSA-rj35-4m94-77jh cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-64763 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-64763 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact