CVE-2025-25294: Envoy Gateway Log Injection Vulnerability
(updated )
In all Envoy Gateway versions prior to 1.2.7 and 1.3.1 a default Envoy Proxy access log configuration is used. This format is vulnerable to log injection attacks.
If the attacker uses a specially crafted user-agent which performs json injection, then he could add and overwrite fields to the access log.
Examples of attacks include:
Using following string as user agent :
HELLO-WORLD", "evil-ip": "1.1.1.1", "x-forwarded-for": "1.1.1.1would lead to setting of new access log properties and overwrite of existing properties. Existing properties such as the value of the X-Forwarded-For header may have importance for security analysis of access logs, and their overwrite can be used to hide malicious activity.Using the following string as user-agent :
"which renders an invalid json document. The invalid document may fail to be processed by observability solutions, which would allow attacker to hide malicious activity.
References
- github.com/advisories/GHSA-mf24-chxh-hmvj
- github.com/envoyproxy/gateway
- github.com/envoyproxy/gateway/commit/041d474a70d5921e5d65e6e14ea60e14dac70b01
- github.com/envoyproxy/gateway/commit/358bed50dcb7b32f39a2edb252fb1399c7fc65dc
- github.com/envoyproxy/gateway/commit/8f48f5199cf1bbb9a8ac0695c5171bfef6c9198a
- github.com/envoyproxy/gateway/releases/tag/v1.2.7
- github.com/envoyproxy/gateway/releases/tag/v1.3.1
- github.com/envoyproxy/gateway/security/advisories/GHSA-mf24-chxh-hmvj
- nvd.nist.gov/vuln/detail/CVE-2025-25294
- pkg.go.dev/vuln/GO-2025-3504
Code Behaviors & Features
Detect and mitigate CVE-2025-25294 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →