CVE-2025-46821: 
Envoy vulnerability analysis and mitigation

Envoy, a cloud-native edge/middle/service proxy, has been identified with a vulnerability (CVE-2025-46821) affecting versions prior to 1.34.1, 1.33.3, 1.32.6, and 1.31.8. The vulnerability was disclosed on May 7, 2025, and involves incorrect handling of URI template matching where the * character is improperly excluded from valid characters in the URI path (GitHub Advisory).

The vulnerability stems from Envoy's URI template matcher incorrectly excluding the * character from the set of valid characters in the URI path. This implementation flaw causes URI paths containing the * character to fail to match URI template expressions. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (NVD).

The primary impact of this vulnerability is the potential bypass of RBAC (Role-Based Access Control) rules when configured using the uri_template permissions. This could lead to unauthorized access to resources that should be protected by RBAC policies (GitHub Advisory).

The vulnerability has been fixed in Envoy versions v1.34.1, v1.33.3, v1.32.6, and v1.31.8. For users unable to upgrade immediately, a workaround is available: configure additional RBAC permissions using url_path with safe_regex expression (GitHub Advisory).