CVE-2024-53269

Envoy is a cloud-native high-performance edge/middle/service proxy. When additional address are not ip addresses, then the Happy Eyeballs sorting algorithm will crash in data plane. This issue has been addressed in releases 1.32.2, 1.31.4, and 1.30.8. Users are advised to upgrade. Users unable to upgrade may disable Happy Eyeballs and/or change the IP configuration.

CVSS v3 4.5 MEDIUM

4.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.9 / Impact : 3.6

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/envoyproxy/envoy/pull/37743/commits/3f62168d86aceb90f743f63b50cc711710b1c401	Patch
https://github.com/envoyproxy/envoy/security/advisories/GHSA-mfqp-7mmj-rm53	Third Party Advisory Exploit
https://github.com/envoyproxy/envoy/security/advisories/GHSA-mfqp-7mmj-rm53	Third Party Advisory Exploit

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:envoyproxy:envoy::::::::
	cpe:2.3:a:envoyproxy:envoy::::::::
	cpe:2.3:a:envoyproxy:envoy::::::::

History

28 Aug 2025, 14:41

Type	Values Removed	Values Added
CPE		cpe:2.3:a:envoyproxy:envoy::::::::
First Time		Envoyproxy envoy Envoyproxy
References	~~() https://github.com/envoyproxy/envoy/pull/37743/commits/3f62168d86aceb90f743f63b50cc711710b1c401 -~~	() https://github.com/envoyproxy/envoy/pull/37743/commits/3f62168d86aceb90f743f63b50cc711710b1c401 - Patch
References	~~() https://github.com/envoyproxy/envoy/security/advisories/GHSA-mfqp-7mmj-rm53 -~~	() https://github.com/envoyproxy/envoy/security/advisories/GHSA-mfqp-7mmj-rm53 - Third Party Advisory, Exploit

18 Dec 2024, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-12-18 20:15

Updated : 2025-08-28 14:41

NVD link : CVE-2024-53269

Mitre link : CVE-2024-53269

CVE.ORG link : CVE-2024-53269

JSON object : View

Products Affected

envoyproxy

envoy

CWE

CWE-670

Always-Incorrect Control Flow Implementation

{"id": "CVE-2024-53269", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.5, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 0.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2024-12-18T20:15:24.127", "references": [{"url": "https://github.com/envoyproxy/envoy/pull/37743/commits/3f62168d86aceb90f743f63b50cc711710b1c401", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-mfqp-7mmj-rm53", "tags": ["Third Party Advisory", "Exploit"], "source": "security-advisories@github.com"}, {"url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-mfqp-7mmj-rm53", "tags": ["Third Party Advisory", "Exploit"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-670"}]}], "descriptions": [{"lang": "en", "value": "Envoy is a cloud-native high-performance edge/middle/service proxy. When additional address are not ip addresses, then the Happy Eyeballs sorting algorithm will crash in data plane. This issue has been addressed in releases 1.32.2, 1.31.4, and 1.30.8. Users are advised to upgrade. Users unable to upgrade may disable Happy Eyeballs and/or change the IP configuration."}, {"lang": "es", "value": "Envoy es un proxy de servicio, de borde y de medio alcance de alto rendimiento nativo de la nube. Cuando las direcciones adicionales no son direcciones IP, el algoritmo de clasificaci\u00f3n Happy Eyeballs falla en el plano de datos. Este problema se solucion\u00f3 en las versiones 1.32.2, 1.31.4 y 1.30.8. Se recomienda a los usuarios que actualicen la versi\u00f3n. Los usuarios que no puedan actualizar pueden deshabilitar Happy Eyeballs o cambiar la configuraci\u00f3n de IP."}], "lastModified": "2025-08-28T14:41:52.060", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "968AC2E1-46FD-4D71-9808-1629EDFDD8DA", "versionEndExcluding": "1.30.8", "versionStartIncluding": "1.30.0"}, {"criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BF721BF0-620F-4E55-B40B-0429A7646296", "versionEndExcluding": "1.31.4", "versionStartIncluding": "1.31.0"}, {"criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "78ACA015-CA2E-419B-94F7-9BAF8F2DDF31", "versionEndExcluding": "1.32.2", "versionStartIncluding": "1.32.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}