{"id":"CVE-2025-64763","summary":"Envoy forwards early CONNECT data in TCP proxy mode","details":"Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, when Envoy is configured in TCP proxy mode to handle CONNECT requests, it accepts client data before issuing a 2xx response and forwards that data to the upstream TCP connection. If a forwarding proxy upstream from Envoy then responds with a non-2xx status, this can cause a de-synchronized CONNECT tunnel state. By default Envoy continues to allow early CONNECT data to avoid disrupting existing deployments. The envoy.reloadable_features.reject_early_connect_data runtime flag can be set to reject CONNECT requests that send data before a 2xx response when intermediaries upstream from Envoy may reject establishment of a CONNECT tunnel.","aliases":["BIT-envoy-2025-64763","GHSA-rj35-4m94-77jh"],"modified":"2026-04-10T05:33:57.364357Z","published":"2025-12-03T18:13:58.496Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/64xxx/CVE-2025-64763.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-693"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/64xxx/CVE-2025-64763.json"},{"type":"ADVISORY","url":"https://github.com/envoyproxy/envoy/security/advisories/GHSA-rj35-4m94-77jh"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-64763"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/envoyproxy/envoy","events":[{"introduced":"63ee0dc79dce88117c6bd2df5a742f8eb67ea980"},{"last_affected":"dc2d3098ae5641555f15c71d5bb5ce0060a8015c"}],"database_specific":{"versions":[{"introduced":"1.36.0"},{"last_affected":"1.36.2"}]}},{"type":"GIT","repo":"https://github.com/envoyproxy/envoy","events":[{"introduced":"84305a6cb64bd55aaf606bdd53de7cd6080427a1"},{"last_affected":"0d240c4b0f5b5db91ef14b1bf424520144b1a75d"}],"database_specific":{"versions":[{"introduced":"1.35.0"},{"last_affected":"1.35.6"}]}},{"type":"GIT","repo":"https://github.com/envoyproxy/envoy","events":[{"introduced":"d7809ba2b07fd869d49bfb122b27f6a7977b4d94"},{"last_affected":"40ab4828a48f05103573ddee3c807dfa0e3e23f7"}],"database_specific":{"versions":[{"introduced":"1.34.0"},{"last_affected":"1.34.10"}]}},{"type":"GIT","repo":"https://github.com/envoyproxy/envoy","events":[{"introduced":"0"},{"last_affected":"d602fb5d4af3ef3740621590e59187233398e0c0"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.33.12"}]}}],"versions":["v1.0.0","v1.1.0","v1.10.0","v1.11.0","v1.12.0","v1.13.0","v1.14.0","v1.15.0","v1.16.0","v1.17.0","v1.18.0","v1.18.1","v1.18.2","v1.19.0","v1.2.0","v1.20.0","v1.21.0","v1.22.0","v1.23.0","v1.24.0","v1.25.0","v1.26.0","v1.27.0","v1.28.0","v1.29.0","v1.3.0","v1.30.0","v1.31.0","v1.32.0","v1.33.0","v1.33.1","v1.33.10","v1.33.11","v1.33.12","v1.33.2","v1.33.3","v1.33.4","v1.33.5","v1.33.6","v1.33.7","v1.33.8","v1.33.9","v1.34.0","v1.34.1","v1.34.10","v1.34.2","v1.34.3","v1.34.4","v1.34.5","v1.34.6","v1.34.7","v1.34.8","v1.34.9","v1.35.0","v1.35.1","v1.35.2","v1.35.3","v1.35.4","v1.35.5","v1.35.6","v1.36.0","v1.36.1","v1.36.2","v1.4.0","v1.5.0","v1.6.0","v1.7.0","v1.8.0","v1.9.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-64763.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}