3.7

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-64763

CVE-2025-64763: Envoy forwards early CONNECT data in TCP proxy mode

Summary

Forwarding of early CONNECT data in TCP proxy mode.

Details

Per RFC 7231-4.3.6 the sender of CONNECT (and all inbound proxies) switch to tunnel mode only after receiving 2xx response. However in TCP proxy mode, Envoy accepts client data before it has issued a 2xx response and eagerly proxies it to an established TCP connection. This creates possibility of a de-synchronized tunnel state if a proxy upstream from Envoy responds with a status other an 2xx.

The RFC does not specify the behavior in case an early CONNECT data is received and early CONNECT data is common as a latency reduction mechanism. To prevent disruption to existing deployments Envoy will by default allow early CONNECT data. Setting the envoy.reloadable_features.reject_early_connect_data runtime flag to true will cause CONNECT requests that send data before 2xx response to be rejected. This options should be enabled if there are intermediaries upstream from Envoy that may reject establishment of a CONNECT tunnel.

Impact

De-synchronization of CONNECT tunnel state if a forwarding proxy upstream from Envoy responds with a non 2xx status.

Attack vector(s)

Sending data for a CONNECT request before receiving 2xx response.

Patches

Users should upgrade to v1.36.3, v1.35.7, v1.34.11 or v1.33.13

Credits

Patrick Smith (pesmithsea@gmail.com)

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-64763

CVE-2025-64763:

3.7

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/envoyproxy/envoy	go	>= 1.36.0, <= 1.36.2	1.36.3
github.com/envoyproxy/envoy	go	>= 1.35.0, <= 1.35.6	1.35.7
github.com/envoyproxy/envoy	go	>= 1.34.0, <= 1.34.10	1.34.11
github.com/envoyproxy/envoy	go	<= 1.33.12	1.33.13

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in Envoy's handling of TCP CONNECT requests, where it forwards data from the client before the CONNECT tunnel is fully established. This can cause issues with upstream proxies. The analysis of the provided patch commit daefd2f7b3fc2f1c24830ba092d9ca19213b1f39 clearly points to the Envoy::Router::Filter::decodeData function as the location of the vulnerability. The patch modifies this function to add a check for 'early data' in CONNECT requests. A new helper function, isEarlyConnectData, is introduced, which is called from decodeData. If early data is detected and the corresponding runtime feature is enabled, the request is rejected with a 400 Bad Request status. This change directly addresses the reported vulnerability. The other changes in the commit are related to different CVEs and are not relevant to this analysis. Therefore, Envoy::Router::Filter::decodeData is the primary function that would be observed in a runtime profile during the exploitation of this vulnerability.

Vulnerable functions

Envoy::Router::Filter::decodeData

source/common/router/router.cc

The `decodeData` function in the `Envoy::Router::Filter` class is responsible for processing data from the downstream client. Prior to the patch, this function would forward any received data for a CONNECT request, even before the CONNECT tunnel was fully established (i.e., before a 2xx response was sent). This behavior could be exploited by sending 'early data' which would be proxied upstream, potentially leading to a desynchronized state if an intermediary proxy rejected the CONNECT request. The patch introduces a check using the `isEarlyConnectData` function to identify and reject such early data when the `envoy.reloadable_features.reject_early_connect_data` runtime feature is enabled, thus mitigating the vulnerability.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

3.7

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-64763: Envoy forwards early CONNECT data in TCP proxy mode

Summary

Details

Impact

Attack vector(s)

Patches

Credits

CVE-2025-64763:

3.7

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

3.7

3.7

CVE-2025-64763: Envoy forwards early CONNECT data in TCP proxy mode

Summary

Details

Impact

Attack vector(s)

Patches

Credits

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI