Skip to content

fix(deps): update module github.com/envoyproxy/gateway to v1.8.1 [security] (release-v1.40)#5060

Open
marvin-tigera wants to merge 1 commit into
release-v1.40from
renovate/release-v1.40-go-github.com-envoyproxy-gateway-vulnerability
Open

fix(deps): update module github.com/envoyproxy/gateway to v1.8.1 [security] (release-v1.40)#5060
marvin-tigera wants to merge 1 commit into
release-v1.40from
renovate/release-v1.40-go-github.com-envoyproxy-gateway-vulnerability

Conversation

@marvin-tigera

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
github.com/envoyproxy/gateway v1.8.0v1.8.1 age confidence

Envoy Gateway custom backendRef cross-namespace ReferenceGrant bypass

CVE-2026-53718 / GHSA-fcrp-7gc2-93g7

More information

Details

Impact

Envoy Gateway accepts extension-managed custom backendRefs from an HTTPRoute to a backend resource in another namespace without requiring a matching Gateway API ReferenceGrant in the target namespace. This breaks the Gateway API cross-namespace consent model: the namespace that owns the referenced backend resource does not need to opt in with a ReferenceGrant before another namespace’s HTTPRoute can use that resource.

Patches

1.7.4
1.8.1

Severity

  • CVSS Score: 6.4 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Envoy Gateway: Wasm HTTP fetch decompresses gzip without output-size limit

CVE-2026-53716 / GHSA-cxpq-8v7q-cg56

More information

Details

Vulnerability report without repro case. Repro case may be added later after harness is complete.

Preconditions (4):

  • Tenant can create EnvoyExtensionPolicy (baseline)
  • Attacker hosts a gzip-bomb at a reachable URL
  • sha256 unset (optional field; check is post-decompression anyway)
  • No operator Wasm-URL allowlist (none exists in code)

Description

getFileFromGZ calls io.ReadAll on a raw gzip.Reader (httpfetcher.go:216) with no output bound, while the compressed input is capped at 256 MiB (httpfetcher.go:139). The bytes originate from a tenant-controlled EnvoyExtensionPolicy.spec.wasm[].code.http.url (envoyextensionpolicy.go:1077 → cache.go:248 → httpfetcher.go:147 → :233), so an untrusted tenant can point at a ~10 MiB gzip-of-zeros and force ~10 GiB allocation in the shared controller process. All candidate guards execute either before the body is buffered or after decompression. OOM-kills, restarts, re-reconciles same CR, crash-loops — persistent cross-tenant control-plane outage with PR:L/AC:L and scope change → HIGH despite availability-only.

Severity

  • CVSS Score: 6.5 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Envoy Gateway: Nil-dereference when SecurityPolicy targets TCPRoute without spec.authorization

CVE-2026-53719 / GHSA-m2v6-2jmh-4c68

More information

Details

Vulnerability report without repro case. Repro case may be added later after harness is complete.

Preconditions (4):

  • Tenant has SecurityPolicy + TCPRoute RBAC (baseline)
  • Tenant namespace permitted to attach TCPRoute to a Gateway listener
  • spec.authorization omitted (the trigger)
  • No admission webhook blocks the shape

Description:

A namespace-scoped tenant can deterministically panic the gatewayapi runner on every reconcile with a single CRD; the recover() in message/watchutil.go:53 keeps the process alive but unwinds the entire handle() callback in runner/runner.go:192, so xDS/Infra IR publishing stalls controller-wide until an admin deletes the object. Data plane keeps serving last-good config.

Severity

  • CVSS Score: 6.5 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Envoy Gateway: OCI layer extraction allocates make([]byte, h.Size) from untrusted tar header

CVE-2026-53717 / GHSA-h7pq-86h8-rp5x

More information

Details

Vulnerability report without repro case. Repro case may be added later after harness is complete.

Preconditions (4):

  • Tenant can create EnvoyExtensionPolicy (baseline)
  • Controller has egress to attacker-controlled OCI registry
  • No registry allowlist (none exists in code)
  • Layer presents Docker/OCI media type

Description

At imagefetcher.go:287, make([]byte, h.Size) uses the attacker-controlled tar-header size; the LimitReader at :278 bounds bytes read from the stream but not the header-declared size returned by tr.Next() (a 512-byte header can claim a multi-TB entry via PAX/GNU encoding). Reached from untrusted tenant input via EnvoyExtensionPolicy spec.wasm[].code.image.url (envoyextensionpolicy.go:1157 → cache.go:262/299 → imagefetcher.go:218 → :287), and the allocation happens for every tar entry regardless of filename. The resulting Go runtime OOM throw is unrecoverable and, because the CRD persists, crash-loops the shared controller — single-request, non-volumetric, cluster-wide DoS.

Severity

  • CVSS Score: 6.5 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Envoy Gateway: Wasm cache ServeHTTP reads mappingPath2Cache without lock

CVE-2026-53715 / GHSA-8fv2-88gg-hm7q

More information

Details

Vulnerability report without repro case. Repro case may be added later after harness is complete.

Preconditions (4):

  • Pod-network reachability to :18002 (no auth)
  • Tenant can create EnvoyExtensionPolicy (baseline)
  • Attacker pod floods GET while churning EnvoyExtensionPolicy with distinct Wasm URLs
  • Read at :153 must overlap a write at :201/:209 (probabilistic, attacker controls both rates)

Description:

httpserver.go:153 reads s.mappingPath2Cache with no lock while httpserver.go:201/209 write it under s.Lock(); the struct uses a plain map. Writer is tenant-reachable via EnvoyExtensionPolicy translation, reader is pod-network-reachable on :18002 with per-request goroutines. Go's concurrent map read+write detection calls runtime.throw, which net/http's per-conn recover cannot catch, so the controller process exits — cross-tenant control-plane DoS. Capped at MEDIUM: DoS-only, k8s restarts pod, timing-dependent trigger.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Envoy Gateway: Authentication Bypass via Improper Input Validation in EnvoyExtensionPolicy Lua Allows Secret Disclosure

CVE-2026-53713 / GHSA-wcrf-9vrr-854f

More information

Details

Impact

The to_absolute_normalized_path function (security.lua:28-43) does not collapse redundant path separators (// → /). On Linux, //etc/passwd is equivalent to /etc/passwd (POSIX path semantics), but is_critical_path fails to match the double-slash variant because //etc/passwd does not start with /etc/.

This allows Lua code submitted as an EnvoyExtensionPolicy to read arbitrary files from the gateway controller pod's filesystem during Strict validation (the default), including:

  • /etc/passwd
  • Kubernetes SA tokens via //var/run/secrets/kubernetes.io/serviceaccount/token
  • TLS certificates via //certs/...
  • Process environment via //proc/self/environ

These credentials can be used to read sensitive information from the K8s API Server or from the Gateway XDS server.

Patches

This has been patched in versions >= v1.7.4 and v1.8.1

  • Collapse redundant path separators (// to /) so double-slash variants like //etc/passwd and //var/run/secrets/... are matched by the critical-path check.
  • Rewrite the traversal check to reject any . or .. segment in any position and across both separator styles (catches /etc/./passwd, ./etc/passwd, /etc/.).
Workarounds

Please refer to the Warning section in Lua docs for measures to reduce risk.

Credits

Envoy Gateway thanks @​dashingDragon and @​Donjon-Cerberus for reporting this issue.

Severity

  • CVSS Score: 9.1 / 10 (Critical)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

envoyproxy/gateway (github.com/envoyproxy/gateway)

v1.8.1

Compare Source

Release Announcement

Check out the v1.8.1 release announcement to learn more about the release.

What's Changed

Full Changelog: envoyproxy/gateway@v1.8.0...v1.8.1


  • If you want to rebase/retry this PR, check this box

@marvin-tigera
marvin-tigera requested a review from a team as a code owner July 17, 2026 01:02
@marvin-tigera marvin-tigera added dependencies Pull requests that update a dependency file docs-not-required release-note-not-required labels Jul 17, 2026
@marvin-tigera marvin-tigera added this to the v1.40.14 milestone Jul 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file docs-not-required release-note-not-required

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant