CVE-2024-23325: 
NixOS vulnerability analysis and mitigation

CVE-2024-23325 affects Envoy, a high-performance edge/middle/service proxy. The vulnerability was discovered and disclosed in February 2024. The issue causes Envoy to crash when receiving IPv6 addresses on systems where IPv6 is disabled, specifically when using proxy protocol with an enabled listener configuration. This vulnerability affects Envoy versions prior to 1.29.1, 1.28.1, 1.27.3, and 1.26.7 (GitHub Advisory).

The vulnerability occurs when Envoy receives a request where the client presents its IPv6 address through proxy protocol on a system that doesn't support IPv6. While it is valid for a client to present its IPv6 address to a target server even when the connection chain uses IPv4, this scenario triggers an uncaught exception in Envoy. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating it is network-accessible, requires low complexity to exploit, and primarily impacts system availability (NVD).

The primary impact of this vulnerability is a denial of service condition. When successfully exploited, it causes Envoy to crash, disrupting the service's availability. The vulnerability does not affect data confidentiality or integrity (GitHub Advisory).

The vulnerability has been fixed in Envoy versions 1.29.1, 1.28.1, 1.27.3, and 1.26.7. Users are advised to upgrade to these patched versions. There are no known workarounds for this vulnerability other than upgrading to a fixed version (NVD).