6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-64527

CVE-2025-64527: Envoy crashes when JWT authentication is configured with the remote JWKS fetching

Summary

Envoy crashes when JWT authentication is configured with the remote JWKS fetching, allow_missing_or_failed is enabled, multiple JWT tokens are present in the request headers and the JWKS fetch fails.

Details

This is caused by a re-entry bug in the JwksFetcherImpl. When the first token's JWKS fetch fails, onJwksError() callback triggers processing of the second token, which calls fetch() again on the same fetcher object.

The original callback's reset() then clears the second fetch's state (receiver_ and request_) which causes a crash when the async HTTP response arrives.

PoC

allow_missing_or_failed or allow_missing is enabled
The client send 2 Authorization headers
the remote JWKS fetching failed
There will be crash

Impact

DoS and Crash

Mitigation

Disable the allow_missing_or_failed or allow_missing

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-64527

CVE-2025-64527:

6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/envoyproxy/envoy	go	>= 1.36.0, <= 1.36.2	1.36.3
github.com/envoyproxy/envoy	go	>= 1.35.0, <= 1.35.6	1.35.7
github.com/envoyproxy/envoy	go	>= 1.34.0, <= 1.34.10	1.34.11
github.com/envoyproxy/envoy	go	<= 1.33.12	1.33.13

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a re-entrancy bug in the JWT authentication filter when handling multiple JWTs and remote JWKS fetching fails. The analysis of the security patch daefd2f7b3fc2f1c24830ba092d9ca19213b1f39 reveals the root cause. When a remote JWKS fetch fails, the onJwksError callback in AuthenticatorImpl is triggered. If another JWT is present, AuthenticatorImpl::startVerify is called again, leading to a re-entrant call to JwksFetcherImpl::fetch. The original onJwksError call chain proceeds and calls JwksFetcherImpl::reset, which, prior to the patch, would unconditionally nullify the receiver_ and request_ pointers. This action corrupts the state of the second, in-flight fetch request. When the asynchronous HTTP response for this second fetch arrives, the callback attempts to use the now-null receiver_ pointer, resulting in a null pointer dereference and a crash (DoS). The patch introduces a complete_ flag in JwksFetcherImpl to ensure that reset only clears state for completed requests and adds a call to fetcher_->cancel() in AuthenticatorImpl::startVerify to properly manage the fetcher's lifecycle during re-entrant calls.

Vulnerable functions

Envoy::Extensions::HttpFilters::Common::JwksFetcherImpl::reset

source/extensions/filters/http/common/jwks_fetcher.cc

The vulnerability lies in the `reset` function, which unconditionally nullified the `request_` and `receiver_` pointers. When a JWKS fetch failed, the `onJwksError` callback would trigger a new fetch for a subsequent JWT token, leading to a re-entrant call. The original callback would then call `reset`, clearing the state of the second, in-flight fetch request. This caused a null pointer dereference and a crash when the async response for the second fetch arrived.

Envoy::Extensions::HttpFilters::JwtAuthn::AuthenticatorImpl::startVerify

source/extensions/filters/http/jwt_authn/authenticator.cc

This function is responsible for initiating the JWT verification process, including fetching the JWKS. In the vulnerable scenario, a failure in fetching the JWKS for one token would lead to the `onJwksError` callback being executed, which in turn calls `startVerify` again for the next token. This re-entrant call on the same authenticator instance without proper state management of the underlying fetcher is what triggers the vulnerability. The patch mitigates this by explicitly canceling any pending fetch request before starting a new one.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-64527: Envoy crashes when JWT authentication is configured with the remote JWKS fetching

Summary

Details

PoC

Impact

Mitigation

CVE-2025-64527:

6.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

6.5

6.5

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

CVE-2025-64527: Envoy crashes when JWT authentication is configured with the remote JWKS fetching

Summary

Details

PoC

Impact

Mitigation

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI