OverviewWhy AttestdQuickstartResponse FieldsAPI ReferenceSDK Reference↳ Python↳ JavaScriptAccount & PortalAI Agent IntegrationCI/CD IntegrationIntegrations↳ MCP Server↳ LangChain↳ LangChain (JS)↳ AutoGenProductsSupply chainFAQ
products / envoy

Envoy Proxy

Envoy is a cloud-native L4/L7 proxy that powers the data plane in Istio, AWS App Mesh, and many Kubernetes ingress controllers. It sits on the path between AI inference endpoints, API gateways, and upstream services. NVD tracks it as envoyproxy:envoy with semver-style ranges on current release trains (older builds used date-based version strings).

api usage

Querying Envoy Proxy

product slugenvoy
version format1.31.0, 1.26.0, 1.25.8
bash
curl "https://api.attestd.io/v1/check?product=envoy&version=1.26.0" \
  -H "Authorization: Bearer $ATTESTD_KEY"

Envoy 1.26.0 is affected by CVE-2023-35945 (HTTP/2 codec memory leak leading to denial of service). The aggregated response expects risk_state: "high".

json
{
  "product": "envoy",
  "version": "1.26.0",
  "supported": true,
  "risk_state": "high",
  "risk_factors": [
    "denial_of_service",
    "internet_exposed_service",
    "no_authentication_required",
    "patch_available"
  ],
  "actively_exploited": false,
  "remote_exploitable": true,
  "authentication_required": false,
  "patch_available": true,
  "fixed_version": "1.26.3",
  "confidence": 0.88,
  "cve_ids": ["CVE-2023-35945"],
  "last_updated": "2026-05-22T00:00:00Z"
}
safe version

Envoy 1.31.0 is used as a patched-line example; confirm with live /v1/check after ingestion.

bash
curl "https://api.attestd.io/v1/check?product=envoy&version=1.31.0" \
  -H "Authorization: Bearer $ATTESTD_KEY"
notable cves

CVE history

Envoy CVE history clusters around HTTP/2 and gRPC protocol handling, JWT authentication bypasses in filters, and upstream connection lifecycle bugs. Many Istio deployments inherit Envoy CVEs through bundled proxy versions; use the Istio product slug for control-plane specific issues.

CVEDescriptionAffectsCVSS
CVE-2023-44487HTTP/2 rapid reset attack causing denial of service via excessive stream cancellation.Multiple 1.x trains7.5
CVE-2023-35945HTTP/2 codec memory leak when RST_STREAM is followed by GOAWAY from upstream.< 1.26.37.5
CVE-2019-9901URL path normalization bypass: crafted relative path (e.g. /../admin) evades access control filters and reaches backend with unintended scope.<= 1.9.010.0
CVE-2022-29225Zip bomb via compressed request/response body: small highly compressed payload exhausts memory in decompressor filter.< 1.22.17.5
CVE-2021-32777ext-authz filter sends only the last value of multi-value request headers to the authorization service, allowing specifically crafted headers to bypass authorization checks.1.16.x to 1.19.08.6
CVE-2020-8663File descriptor and memory exhaustion when accepting too many simultaneous connections, causing denial of service.<= 1.14.27.5
related
All productsIstioTraefikResponse Field Reference