CVE-2025-30157: 
Envoy vulnerability analysis and mitigation

Envoy, a cloud-native high-performance edge/middle/service proxy, disclosed a vulnerability (CVE-2025-30157) affecting versions prior to 1.33.1, 1.32.4, 1.31.6, and 1.30.10. The vulnerability was discovered in March 2025 and involves Envoy's ext_proc HTTP filter being at risk of crashing when a local reply is sent to the external server due to a filter's lifetime issue (GitHub Advisory).

The vulnerability occurs specifically in the ext_proc HTTP filter component when processing local replies. A known trigger scenario involves a websocket handshake failure, which generates a local reply leading to Envoy's crash. The issue has been assigned a CVSS v3.1 score of 6.5 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, indicating network accessibility with low attack complexity and no privileges required, though user interaction is needed (NVD, GitHub Advisory).

The primary impact of this vulnerability is a denial of service condition. When successfully exploited, it can cause the Envoy proxy to crash, potentially disrupting service availability for systems relying on the affected Envoy instances (GitHub Advisory).

Several mitigation options are available: 1) Disable websocket traffic, 2) Modify the websocket response from the backend to always return 101 Switch protocol based on RFC, 3) Apply the patch that prevents the extproc filter from sending local replies generated by Envoy to the extproc server, 4) Apply the patch that makes the router cancel upstream requests when sending a local reply. The permanent fix is to upgrade to patched versions: 1.33.1, 1.32.4, 1.31.6, or 1.30.10 (GitHub Advisory).