CVE-2025-62409: Envoy allows large requests and responses to cause TCP connection pool crash

Q: What is the severity of CVE-2025-62409?

CVE-2025-62409 has been classified with a severity that may lead to crashes in the TCP connection pool under specific conditions.

Q: How do I fix CVE-2025-62409?

To fix CVE-2025-62409, upgrade to Envoy version 1.36.1 or later, or to the latest respective versions above 1.35.5, 1.34.9, and 1.33.10.

Q: What causes CVE-2025-62409?

CVE-2025-62409 is caused by issues in flow control management that can lead to crashes when managing large requests and responses.

Q: Which versions of Envoy are affected by CVE-2025-62409?

The affected versions of Envoy include all versions prior to 1.36.1, 1.35.5, 1.34.9, and 1.33.10.

Q: What impact does CVE-2025-62409 have on my systems?

CVE-2025-62409 can disrupt service by causing crashes of the TCP connection pool, potentially impacting application availability.

Published Oct 16, 2025

Updated

Envoy is a cloud-native, open source edge and service proxy. Prior to 1.36.1, 1.35.5, 1.34.9, and 1.33.10, large requests and responses can potentially trigger TCP connection pool crashes due to flow control management in Envoy. It will happen when the connection is closing but upstream data is still coming, resulting in a buffer watermark callback nullptr reference. The vulnerability impacts TCP proxy and HTTP 1 & 2 mixed use cases based on ALPN. This vulnerability is fixed in 1.36.1, 1.35.5, 1.34.9, and 1.33.10.

Affected Software

5 affected components

Envoy Envoy<1.33.10, >=1.34.9<=1.35.5

Envoyproxy Envoy<1.33.11

Envoyproxy Envoy>=1.34.0<1.34.9

Envoyproxy Envoy>=1.35.0<1.35.5

Envoyproxy Envoy=1.36.0

Event History

Oct 16, 2025

CVE Published

via MITRE·05:47 PM

Data Sourced

via MITRE·05:47 PM

DescriptionWeakness

Data Sourced

via NVD·06:15 PM

DescriptionSeverityWeaknessAffected Software

Frequently Asked Questions

What is the severity of CVE-2025-62409?

CVE-2025-62409 has been classified with a severity that may lead to crashes in the TCP connection pool under specific conditions.

How do I fix CVE-2025-62409?

To fix CVE-2025-62409, upgrade to Envoy version 1.36.1 or later, or to the latest respective versions above 1.35.5, 1.34.9, and 1.33.10.

What causes CVE-2025-62409?

CVE-2025-62409 is caused by issues in flow control management that can lead to crashes when managing large requests and responses.

Which versions of Envoy are affected by CVE-2025-62409?

The affected versions of Envoy include all versions prior to 1.36.1, 1.35.5, 1.34.9, and 1.33.10.

What impact does CVE-2025-62409 have on my systems?

CVE-2025-62409 can disrupt service by causing crashes of the TCP connection pool, potentially impacting application availability.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.