x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: GHSA-mp85-7mrq-r866

Advisory [GHSA-mp85-7mrq-r866](https://github.com/advisories/GHSA-mp85-7mrq-r866) references a vulnerability in the following Go modules:

| Module |
| - |
| [github.com/envoyproxy/envoy](https://pkg.go.dev/github.com/envoyproxy/envoy) |

Description:
### Summary
Envoy crashes when JWT authentication is configured with the remote JWKS fetching, `allow_missing_or_failed` is enabled, multiple JWT tokens are present in the request headers and the JWKS fetch fails.

### Details
This is caused by a re-entry bug in the `JwksFetcherImpl`. When the first token's JWKS fetch fails, `onJwksError()` callback triggers processing of the second token, which calls fetch() again on the same fetcher object.

The original callback's reset() then clears the second fetch's state (`receiver_ and request_`) which causes a crash when the async HTTP response arrive...

References:
- ADVISORY: https://github.com/advisories/GHSA-mp85-7mrq-r866
- ADVISORY: https://github.com/envoyproxy/envoy/security/advisories/GHSA-mp85-7mrq-r866
- ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-64527

Cross references:
- github.com/envoyproxy/envoy appears in 70 other report(s):
  - data/excluded/GO-2022-0330.yaml    (https://github.com/golang/vulndb/issues/330)    NOT_GO_CODE
  - data/excluded/GO-2022-0331.yaml    (https://github.com/golang/vulndb/issues/331)    NOT_GO_CODE
  - data/excluded/GO-2022-0332.yaml    (https://github.com/golang/vulndb/issues/332)    NOT_GO_CODE
  - data/excluded/GO-2022-0333.yaml    (https://github.com/golang/vulndb/issues/333)    NOT_GO_CODE
  - data/excluded/GO-2022-0334.yaml    (https://github.com/golang/vulndb/issues/334)    NOT_GO_CODE
  - data/excluded/GO-2022-0335.yaml    (https://github.com/golang/vulndb/issues/335)    NOT_GO_CODE
  - data/excluded/GO-2022-0336.yaml    (https://github.com/golang/vulndb/issues/336)    NOT_GO_CODE
  - data/excluded/GO-2022-0337.yaml    (https://github.com/golang/vulndb/issues/337)    NOT_GO_CODE
  - data/excluded/GO-2022-0484.yaml    (https://github.com/golang/vulndb/issues/484)    NOT_GO_CODE
  - data/excluded/GO-2022-0485.yaml    (https://github.com/golang/vulndb/issues/485)    NOT_GO_CODE
  - data/excluded/GO-2022-0486.yaml    (https://github.com/golang/vulndb/issues/486)    NOT_GO_CODE
  - data/excluded/GO-2022-0487.yaml    (https://github.com/golang/vulndb/issues/487)    NOT_GO_CODE
  - data/excluded/GO-2022-0488.yaml    (https://github.com/golang/vulndb/issues/488)    NOT_GO_CODE
  - data/excluded/GO-2023-1690.yaml    (https://github.com/golang/vulndb/issues/1690)    NOT_GO_CODE
  - data/excluded/GO-2023-1691.yaml    (https://github.com/golang/vulndb/issues/1691)    NOT_GO_CODE
  - data/excluded/GO-2023-1692.yaml    (https://github.com/golang/vulndb/issues/1692)    NOT_GO_CODE
  - data/excluded/GO-2023-1693.yaml    (https://github.com/golang/vulndb/issues/1693)    NOT_GO_CODE
  - data/excluded/GO-2023-1694.yaml    (https://github.com/golang/vulndb/issues/1694)    NOT_GO_CODE
  - data/excluded/GO-2023-1695.yaml    (https://github.com/golang/vulndb/issues/1695)    NOT_GO_CODE
  - data/excluded/GO-2023-1917.yaml    (https://github.com/golang/vulndb/issues/1917)    NOT_GO_CODE
  - data/excluded/GO-2023-1921.yaml    (https://github.com/golang/vulndb/issues/1921)    NOT_GO_CODE
  - data/excluded/GO-2023-1966.yaml    (https://github.com/golang/vulndb/issues/1966)    NOT_GO_CODE
  - data/excluded/GO-2023-1968.yaml    (https://github.com/golang/vulndb/issues/1968)    NOT_GO_CODE
  - data/excluded/GO-2023-1969.yaml    (https://github.com/golang/vulndb/issues/1969)    NOT_GO_CODE
  - data/excluded/GO-2023-1970.yaml    (https://github.com/golang/vulndb/issues/1970)    NOT_GO_CODE
  - data/excluded/GO-2023-2106.yaml    (https://github.com/golang/vulndb/issues/2106)    NOT_GO_CODE
  - data/excluded/GO-2023-2242.yaml    (https://github.com/golang/vulndb/issues/2242)    LEGACY_FALSE_POSITIVE
  - data/excluded/GO-2023-2247.yaml    (https://github.com/golang/vulndb/issues/2247)    LEGACY_FALSE_POSITIVE
  - data/excluded/GO-2023-2248.yaml    (https://github.com/golang/vulndb/issues/2248)    LEGACY_FALSE_POSITIVE
  - data/excluded/GO-2023-2249.yaml    (https://github.com/golang/vulndb/issues/2249)    LEGACY_FALSE_POSITIVE
  - data/excluded/GO-2023-2250.yaml    (https://github.com/golang/vulndb/issues/2250)    LEGACY_FALSE_POSITIVE
  - data/excluded/GO-2023-2260.yaml    (https://github.com/golang/vulndb/issues/2260)    LEGACY_FALSE_POSITIVE
  - data/excluded/GO-2023-2273.yaml    (https://github.com/golang/vulndb/issues/2273)    LEGACY_FALSE_POSITIVE
  - data/excluded/GO-2023-2274.yaml    (https://github.com/golang/vulndb/issues/2274)    LEGACY_FALSE_POSITIVE
  - data/excluded/GO-2023-2275.yaml    (https://github.com/golang/vulndb/issues/2275)    LEGACY_FALSE_POSITIVE
  - data/excluded/GO-2023-2279.yaml    (https://github.com/golang/vulndb/issues/2279)    LEGACY_FALSE_POSITIVE
  - data/excluded/GO-2023-2291.yaml    (https://github.com/golang/vulndb/issues/2291)    LEGACY_FALSE_POSITIVE
  - data/excluded/GO-2023-2292.yaml    (https://github.com/golang/vulndb/issues/2292)    LEGACY_FALSE_POSITIVE
  - data/excluded/GO-2023-2301.yaml    (https://github.com/golang/vulndb/issues/2301)    LEGACY_FALSE_POSITIVE
  - data/excluded/GO-2023-2302.yaml    (https://github.com/golang/vulndb/issues/2302)    LEGACY_FALSE_POSITIVE
  - data/excluded/GO-2023-2307.yaml    (https://github.com/golang/vulndb/issues/2307)    LEGACY_FALSE_POSITIVE
  - data/excluded/GO-2023-2308.yaml    (https://github.com/golang/vulndb/issues/2308)    LEGACY_FALSE_POSITIVE
  - data/excluded/GO-2023-2309.yaml    (https://github.com/golang/vulndb/issues/2309)    LEGACY_FALSE_POSITIVE
  - data/excluded/GO-2023-2310.yaml    (https://github.com/golang/vulndb/issues/2310)    LEGACY_FALSE_POSITIVE
  - data/excluded/GO-2023-2311.yaml    (https://github.com/golang/vulndb/issues/2311)    LEGACY_FALSE_POSITIVE
  - data/excluded/GO-2024-2542.yaml    (https://github.com/golang/vulndb/issues/2542)    NOT_GO_CODE
  - data/excluded/GO-2024-2543.yaml    (https://github.com/golang/vulndb/issues/2543)    NOT_GO_CODE
  - data/excluded/GO-2024-2544.yaml    (https://github.com/golang/vulndb/issues/2544)    NOT_GO_CODE
  - data/excluded/GO-2024-2545.yaml    (https://github.com/golang/vulndb/issues/2545)    NOT_GO_CODE
  - data/excluded/GO-2024-2546.yaml    (https://github.com/golang/vulndb/issues/2546)    NOT_GO_CODE
  - data/excluded/GO-2024-2710.yaml    (https://github.com/golang/vulndb/issues/2710)    NOT_GO_CODE
  - data/excluded/GO-2024-2713.yaml    (https://github.com/golang/vulndb/issues/2713)    NOT_GO_CODE
  - data/excluded/GO-2024-2735.yaml    (https://github.com/golang/vulndb/issues/2735)    NOT_GO_CODE
  - data/excluded/GO-2024-2890.yaml    (https://github.com/golang/vulndb/issues/2890)    NOT_GO_CODE
  - data/excluded/GO-2024-2892.yaml    (https://github.com/golang/vulndb/issues/2892)    NOT_GO_CODE
  - data/excluded/GO-2024-2893.yaml    (https://github.com/golang/vulndb/issues/2893)    NOT_GO_CODE
  - data/excluded/GO-2024-2894.yaml    (https://github.com/golang/vulndb/issues/2894)    NOT_GO_CODE
  - data/excluded/GO-2024-2895.yaml    (https://github.com/golang/vulndb/issues/2895)    NOT_GO_CODE
  - data/excluded/GO-2024-2896.yaml    (https://github.com/golang/vulndb/issues/2896)    NOT_GO_CODE
  - data/excluded/GO-2024-2897.yaml    (https://github.com/golang/vulndb/issues/2897)    NOT_GO_CODE
  - data/excluded/GO-2024-2960.yaml    (https://github.com/golang/vulndb/issues/2960)    NOT_GO_CODE
  - data/excluded/GO-2024-3144.yaml    (https://github.com/golang/vulndb/issues/3144)    NOT_GO_CODE
  - data/excluded/GO-2024-3145.yaml    (https://github.com/golang/vulndb/issues/3145)    NOT_GO_CODE
  - data/excluded/GO-2024-3146.yaml    (https://github.com/golang/vulndb/issues/3146)    NOT_GO_CODE
  - data/excluded/GO-2024-3147.yaml    (https://github.com/golang/vulndb/issues/3147)    NOT_GO_CODE
  - data/excluded/GO-2024-3148.yaml    (https://github.com/golang/vulndb/issues/3148)    NOT_GO_CODE
  - data/excluded/GO-2024-3149.yaml    (https://github.com/golang/vulndb/issues/3149)    NOT_GO_CODE
  - data/excluded/GO-2024-3345.yaml    (https://github.com/golang/vulndb/issues/3345)    NOT_GO_CODE
  - data/excluded/GO-2024-3346.yaml    (https://github.com/golang/vulndb/issues/3346)    NOT_GO_CODE
  - data/excluded/GO-2024-3347.yaml    (https://github.com/golang/vulndb/issues/3347)    NOT_GO_CODE

See [doc/quickstart.md](https://github.com/golang/vulndb/blob/master/doc/quickstart.md) for instructions on how to triage this report.

```
id: GO-ID-PENDING
modules:
    - module: github.com/envoyproxy/envoy
      non_go_versions:
        - introduced: TODO (earliest fixed "1.33.13", vuln range "<= 1.33.12")
        - introduced: TODO (earliest fixed "1.34.11", vuln range ">= 1.34.0, <= 1.34.10")
        - introduced: TODO (earliest fixed "1.35.7", vuln range ">= 1.35.0, <= 1.35.6")
        - introduced: TODO (earliest fixed "1.36.3", vuln range ">= 1.36.0, <= 1.36.2")
      vulnerable_at: 1.36.3
summary: |-
    Envoy crashes when JWT authentication is configured with the remote JWKS
    fetching in github.com/envoyproxy/envoy
cves:
    - CVE-2025-64527
ghsas:
    - GHSA-mp85-7mrq-r866
references:
    - advisory: https://github.com/advisories/GHSA-mp85-7mrq-r866
    - advisory: https://github.com/envoyproxy/envoy/security/advisories/GHSA-mp85-7mrq-r866
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-64527
notes:
    - fix: 'module merge error: could not merge versions of module github.com/envoyproxy/envoy: invalid or non-canonical semver version (found TODO (earliest fixed "1.33.13", vuln range "<= 1.33.12"))'
source:
    id: GHSA-mp85-7mrq-r866
    created: 2025-12-05T19:01:21.481171151Z
review_status: UNREVIEWED

```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: GHSA-mp85-7mrq-r866 #4194

Summary

Details

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: GHSA-mp85-7mrq-r866 #4194

Description

Summary

Details

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions