Release to fix CVE-2025-25294

[Guy Daich]

Hello Envoy Gateway Community,

We are announcing an upcoming release to address an Envoy Gateway log injection vulnerability identified by Dennis Kniep. This vulnerability was assigned CVE-2025-25294 id. Envoy's versions v1.2.6, v1.3.0 and earlier are affected. Patched releases are available: v1.2.7, v1.3.1.  

The vulnerability affects deployments that use the default Envoy Gateway access log format. For more information see https://github.com/envoyproxy/gateway/security/advisories/GHSA-mf24-chxh-hmvj 

Thanks,

Guy Daich, on behalf of the Envoy Gateway maintainers