[Zero Day] zero day announcement for Envoy users

[Boteng Yao]

Hello Envoy Community,

We are announcing the release of fixes for two zero-day vulnerabilities: one High and one Moderate severity. We urge all users to prepare for an upgrade as soon as the patches are made available.

• CVE-2025-62409 (High): A crash in the TCP connection pool triggered by handling large requests or responses. TCP proxy is impacted.
• CVE-2025-62504 (Moderate): A crash that occurs when Lua filters handle a sufficiently large response body.

The following patched versions, which include these essential fixes, will be available shortly.

• 1.36.2
• 1.35.6
• 1.34.10
• 1.33.12

Please monitor the official GitHub repository for the releases: https://github.com/envoyproxy/envoy/releases

Thanks,

Ryan Northey (@phlax)
Boteng Yao (@botengyao)

On behalf of the Envoy maintainers.