7.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-24030

GHSA ID

GHSA-j777-63hf-hx76

EPSS Score

0.4285%

CWE

CWE-419

Published

1/23/2025

Updated

1/23/2025

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-24030

CVE-2025-24030: Envoy Admin Interface Exposed through prometheus metrics endpoint

Impact

A user with access to a Kubernetes cluster where Envoy Gateway is installed can use a path traversal attack to execute Envoy Admin interface commands on proxies managed by Envoy Gateway. The admin interface can be used to terminate the Envoy process and extract the Envoy configuration (possibly containing confidential data).

For example, the following command, if run from within the Kubernetes cluster, can be used to get the configuration dump of the proxy:

curl --path-as-is http://<Proxy-Service-ClusterIP>:19001/stats/prometheus/../../config_dump

Patches

1.2.6

Workarounds

The EnvoyProxy API can be used to apply a bootstrap config patch that restricts access strictly to the prometheus stats endpoint. Find below an example of such a bootstrap patch.

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyProxy
metadata:
  name: custom-proxy-config
  namespace: default
spec:
  bootstrap:
    type: JSONPatch
    jsonPatches:
    - op: "add"
      path: "/static_resources/listeners/0/filter_chains/0/filters/0/typed_config/normalize_path"
      value: true
    - op: "replace"
      path: "/static_resources/listeners/0/filter_chains/0/filters/0/typed_config/route_config/virtual_hosts/0/routes/0/match"
      value:
        path: "/stats/prometheus"
        headers:
          - name: ":method"
            exact_match: GET

References

Envoy Admin Interface: https://www.envoyproxy.io/docs/envoy/latest/operations/admin
Envoy Configuration Best Practices: https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge

(GitHub Advisory)

7.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-24030

GHSA ID

GHSA-j777-63hf-hx76

EPSS Score

0.4285%

CWE

CWE-419

Published

1/23/2025

Updated

1/23/2025

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/envoyproxy/gateway	go	< 1.2.6	1.2.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from two key misconfigurations: 1) Using prefix matching instead of exact path matching for the /stats/prometheus endpoint, which didn't prevent path traversal sequences. 2) Lack of path normalization (normalize_path=true) in the HTTP connection manager configuration, which failed to collapse path traversal sequences before route matching. The commit diff shows these were fixed by replacing 'prefix: /stats/prometheus' with exact 'path' matching + method headers, and adding normalize_path=true. These configurations were present in multiple bootstrap/test files, making the pre-patch route matching functions vulnerable.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * us*r wit* ****ss to * Ku**rn*t*s *lust*r w**r* *nvoy **t*w*y is inst*ll** **n us* * p*t* tr*v*rs*l *tt**k to *x**ut* *nvoy **min int*r**** *omm*n*s on proxi*s m*n**** *y *nvoy **t*w*y. T** **min int*r**** **n ** us** to t*rmin*t* t** *nv

Reasoning

T** vuln*r**ility st*mm** *rom two k*y mis*on*i*ur*tions: *) Usin* pr**ix m*t**in* inst*** o* *x**t p*t* m*t**in* *or t** /st*ts/prom*t**us *n*point, w*i** *i*n't pr*v*nt p*t* tr*v*rs*l s*qu*n**s. *) L**k o* p*t* norm*liz*tion (norm*liz*_p*t*=tru*) i

7.1

Basic Information

Concerned about an active attack path?

CVE-2025-24030: Envoy Admin Interface Exposed through prometheus metrics endpoint

Impact

Patches

Workarounds

References

7.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI