CVE-2025-24030

CVE-2025-24030 is a path traversal vulnerability in Envoy Gateway, an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. It affects all versions of Envoy Gateway prior to 1.2.6, allowing unauthorized execution of commands on the Envoy Admin interface of managed proxies. The issue is classified under CWE-419 (Unrestricted Upload of File with Dangerous Type) with a CVSS v3.1 base score of 7.1 (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H), highlighting high availability impact alongside low confidentiality risk.

A user with access to the Kubernetes cluster can exploit this vulnerability via a path traversal attack to invoke Envoy Admin interface commands on affected proxies. Successful exploitation enables termination of the Envoy process, causing denial of service, and extraction of the Envoy configuration, which may contain confidential data.

Version 1.2.6 of Envoy Gateway resolves the vulnerability. As a workaround, administrators can use the EnvoyProxy API to apply a bootstrap configuration patch that restricts Admin interface access strictly to the Prometheus stats endpoint. Additional details are available in the Envoy Gateway security advisory (GHSA-j777-63hf-hx76) and the fixing commit (3eb3301ab3dbf12b201b47bdb6074d1233be07bd), along with Envoy documentation on edge best practices and Admin interface operations.