Envoy security releases [1.36.3, 1.35.7, 1.34.11, 1.33.13] are available today

8 views

Skip to first unread message

Boteng Yao

unread,

Dec 3, 2025, 1:28:30 PM (18 hours ago) Dec 3

to envoy-a...@googlegroups.com, envoy...@googlegroups.com, envo...@googlegroups.com, envoy-security, cncf-envoy-distr...@lists.cncf.io, envoy-ma...@googlegroups.com

Hi Envoy Community,

The Envoy security team would like to announce the availability of Envoy 1.36.3, 1.35.7, 1.34.11 and 1.33.13 to addresses the following CVE(s):

CVE-2025-66220: TLS certificate matcher for `match_typed_subject_alt_names` may incorrectly treat certificates containing an embedded null byte

CVE-2025-64763: Option to stop forwarding early CONNECT data in TCP proxy mode

CVE-2025-64527: Envoy crashes when JWT authentication is configured with the remote JWKS fetching

The releases will be published to our releases page as they become available today:

https://github.com/envoyproxy/envoy/releases

You are encouraged to update your versions of Envoy, and documentation for all versions can be found at https://www.envoyproxy.io/docs.

A PR to resolve these issues on the `main` branch has been raised here:

Main PR here: https://github.com/envoyproxy/envoy/pull/42370

Thanks,

Ryan Northey (@phlax)
Boteng Yao (@botengyao)

on behalf of the Envoy security team

Reply all

Reply to author

Forward

0 new messages