Cybersecurity Vulnerabilities

CVE-2025-64527: Envoy JWT Authentication Vulnerability Leads to Denial of Service

December 3, 2025 - By 

Overview

CVE-2025-64527 is a medium severity vulnerability affecting Envoy, a high-performance edge/middle/service proxy. This vulnerability can lead to a denial-of-service (DoS) condition, causing Envoy to crash under specific circumstances related to JWT (JSON Web Token) authentication.

Technical Details

The vulnerability occurs when JWT authentication is configured with remote JWKS (JSON Web Key Set) fetching, and the allow_missing_or_failed option is enabled. The issue arises when multiple JWT tokens are present in the request headers and the JWKS fetch for the first token fails.

This failure triggers a re-entry bug in the JwksFetcherImpl. Specifically, when the initial JWKS fetch fails, the onJwksError() callback is invoked, which then starts processing the subsequent token. This triggers another call to fetch() on the same fetcher object.

The original callback’s reset() method then clears the state (receiver_ and request_) associated with the second JWKS fetch. Consequently, when the asynchronous HTTP response for the second fetch eventually arrives, it attempts to access the cleared state, leading to a crash.

CVSS Analysis

The Common Vulnerability Scoring System (CVSS) score for CVE-2025-64527 is 6.5 (MEDIUM). This score reflects the potential for a denial-of-service attack but requires specific configuration and conditions to be triggered.

Possible Impact

A successful exploit of this vulnerability can result in Envoy crashing, leading to:

  • Denial of Service (DoS): Affected services behind the Envoy proxy become unavailable.
  • Service Disruption: Intermittent outages or complete service failure.

Mitigation or Patch Steps

To mitigate this vulnerability, it is highly recommended to upgrade Envoy to a version that includes the fix. The vulnerability is addressed in the following versions:

  • Upgrade to a version greater than or equal to 1.33.13
  • Upgrade to a version greater than or equal to 1.34.11
  • Upgrade to a version greater than or equal to 1.35.7
  • Upgrade to a version greater than or equal to 1.36.3

If upgrading is not immediately feasible, consider disabling the allow_missing_or_failed option for JWT authentication or ensuring that only one JWT token is present in request headers as a temporary workaround. However, this might impact functionality that relies on those features.

References

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *