Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Vendor description states unauthenticated exploitation, overriding official PR:L; pure availability crash, no confidentiality or integrity impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionNVD
Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.26.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, the envoy.filters.http.grpc_stats filter crashes (null pointer dereference / segfault) when a Connect protocol request (Content-Type: application/connect+proto or application/connect+json) hits a direct_response route. A single unauthenticated HTTP request crashes the Envoy process. This vulnerability is fixed in 1.35.13, 1.36.9, 1.37.5, and 1.38.3.
AnalysisAI
The envoy.filters.http.grpc_stats HTTP filter in Envoy versions 1.26.0 through the pre-fix releases crashes with a null pointer dereference when a Connect protocol request (Content-Type: application/connect+proto or application/connect+json) is routed to a direct_response route, terminating the Envoy process entirely. The vendor description states a single unauthenticated HTTP request is sufficient to trigger the crash, giving any network-reachable attacker a trivial one-packet denial of service against affected deployments. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Two specific non-default configuration conditions must both be present simultaneously: (1) the envoy.filters.http.grpc_stats HTTP filter must be explicitly configured in the HTTP filter chain, and (2) at least one route within that filter chain must use a direct_response route action rather than forwarding to an upstream cluster. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The official NVD score of 6.5 with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H reflects a network-exploitable, low-complexity, availability-only impact - but there is a critical discrepancy: the vector assigns PR:L (low privileges required) while the vulnerability description explicitly states 'a single unauthenticated HTTP request crashes the Envoy process.' If unauthenticated exploitation is accurate, the effective score is closer to 7.5 (PR:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies or infers that an Envoy gateway or sidecar proxy has the grpc_stats filter active on a route configured with a direct_response action, then sends a single HTTP GET or POST request to that endpoint with the header Content-Type: application/connect+proto. The grpc_stats filter attempts to record statistics for the Connect protocol request but dereferences a null pointer in the absence of an upstream cluster object, immediately crashing the Envoy worker process. … |
| Remediation | Upgrade Envoy to one of the vendor-confirmed patched releases: 1.35.13, 1.36.9, 1.37.5, or 1.38.3, as documented in GitHub Security Advisory GHSA-3jxh-8p6x-7pf6 at https://github.com/envoyproxy/envoy/security/advisories/GHSA-3jxh-8p6x-7pf6. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Envoy is an open source edge and service proxy designed for cloud-native applications. Rated critical severity (CVSS 9.8
An issue was discovered in Envoy 1.12.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
An issue was discovered in Envoy 1.12.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
Envoy is an open source edge and service proxy designed for cloud-native applications. Rated critical severity (CVSS 9.1
Envoy is an open source edge and service proxy designed for cloud-native applications. Rated critical severity (CVSS 9.1
Envoy is an open source edge and service proxy designed for cloud-native applications. Rated critical severity (CVSS 9.1
Envoy through 1.15.0 only considers the first value when multiple header values are present for some HTTP headers. Rated
When parsing HTTP/1.x header values, Envoy 1.9.0 and before does not reject embedded zero characters (NUL, ASCII 0x0). R
Envoy's RBAC filter improperly concatenates duplicate HTTP headers into comma-separated strings instead of validating ea
Envoy is a cloud-native high-performance edge/middle/service proxy. Rated high severity (CVSS 7.5), this vulnerability i
Envoy is a cloud-native high-performance edge/middle/service proxy. Rated high severity (CVSS 7.5), this vulnerability i
Envoy is a cloud-native high-performance edge/middle/service proxy. Rated high severity (CVSS 7.5), this vulnerability i
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39824