NULL pointer dereference in Envoyproxy Envoy

CVE-2025-62409

Envoy is a cloud-native, open source edge and service proxy. Prior to 1.36.1, 1.35.5, 1.34.9, and 1.33.10, large requests and responses can potentially trigger TCP connection pool crashes due to flow control management in Envoy. It will ha…

EPSS: 0.004 (33.3th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.

Affected products

Weakness classification (CWE)

References

Frequently asked questions

What is CVE-2025-62409?
CVE-2025-62409 is a high-severity vulnerability in Envoyproxy Envoy, classified under NULL Pointer Dereference. CVSS score: 7.5/10. Published 2025-10-16.
How severe is CVE-2025-62409?
High severity. CVSS v3 base score is 7.5 out of 10.