ISTIO-SECURITY-2025-002

{{< security_bulletin >}}

CVE

Envoy CVEs

• CVE-2025-62504: (CVSS score 6.5, Medium): Lua modified large enough response body will cause Envoy to crash.
• CVE-2025-62409: (CVSS score 6.6, Medium): Large requests and responses can cause TCP connection pool crash.

Am I Impacted?

You are impacted if you use Lua via EnvoyFilter that returns an oversized response body exceeding the per_connection_buffer_limit_bytes (default 1MB) or where you have large requests and responses where a connection can be closed but data from upstream is still being sent.