CVE-2025-25294: 
NixOS vulnerability analysis and mitigation

Envoy Gateway, an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway, was found to contain a log injection vulnerability in versions prior to 1.2.7 and 1.3.1. The vulnerability exists in the default Envoy Proxy access log configuration, which was discovered on March 6, 2025 (NVD, GitHub Advisory).

The vulnerability stems from improper output neutralization in the default access log configuration. An attacker can exploit this by using a specially crafted user-agent string that performs JSON injection, allowing them to add or overwrite fields in the access log. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, indicating it can be exploited remotely with low complexity and requires no privileges or user interaction (GitHub Advisory).

The vulnerability allows attackers to manipulate access logs by injecting new properties or overwriting existing ones, such as the X-Forwarded-For header value. This can be used to hide malicious activity from security analysis. Additionally, attackers can create invalid JSON documents that may fail to be processed by observability solutions, further obscuring malicious activities (GitHub Advisory).

The vulnerability has been fixed in versions 1.2.7 and 1.3.1 by using JSON format as the default format for access logs. For users unable to upgrade immediately, a workaround is available by overwriting the old text-based default format with JSON formatter by modifying the 'EnvoyProxy.spec.telemetry.accessLog' setting (GitHub Advisory).