CVE-2025-30157

CVE-2025-30157 is a vulnerability in Envoy, a cloud-native high-performance edge/middle/service proxy, specifically affecting the ext_proc HTTP filter in versions prior to 1.33.1, 1.32.4, 1.31.6, and 1.30.10. The issue stems from a filter lifetime problem that causes Envoy to crash when a local reply is sent to the external server. A known trigger is the failure of a WebSocket handshake, which generates such a local reply and leads to the crash. It is associated with CWE-460 and has a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H).

An attacker with network access to an affected Envoy instance can exploit this vulnerability with low attack complexity, though it requires user interaction. No privileges are needed from the attacker. Exploitation triggers a denial-of-service condition by crashing the Envoy process, with no impact on confidentiality or integrity.

Mitigation is available through upgrades to Envoy versions 1.33.1, 1.32.4, 1.31.6, or 1.30.10, which address the filter lifetime issue. Additional details are provided in the Envoy security advisory (GHSA-cf3q-gqg7-3fm9) and the fixing commit (8eda1b8ef5ba8663d16a737ab99458c039a9b53c).