What is the severity of CVE-2025-46821?

CVE-2025-46821 has a severity rating of medium due to the potential impact on URI path matching in Envoy.

How do I fix CVE-2025-46821?

To fix CVE-2025-46821, upgrade Envoy to versions 1.34.1, 1.33.3, 1.32.6, or 1.31.8 or later.

What versions of Envoy are affected by CVE-2025-46821?

CVE-2025-46821 affects Envoy versions prior to 1.34.1, 1.33.3, 1.32.6, and 1.31.8.

What types of applications are vulnerable to CVE-2025-46821?

Applications using Envoy as a proxy before the patched versions are vulnerable to CVE-2025-46821.

What are the implications of CVE-2025-46821 for my deployment?

CVE-2025-46821 can lead to unexpected behavior in routing requests with `*` in the URI path, potentially affecting application functionality.

Vulnerability/
CVE-2025-46821

medium

5.3

CWE

186

EPSS

0.082%

7/5/2025

8/5/2025

CVE-2025-46821: Envoy vulnerable to bypass of RBAC uri_template permission

First published: Wed May 07 2025(Updated: )

Envoy is a cloud-native edge/middle/service proxy. Prior to versions 1.34.1, 1.33.3, 1.32.6, and 1.31.8, Envoy's URI template matcher incorrectly excludes the `*` character from a set of valid characters in the URI path. As a result URI path containing the `*` character will not match a URI template expressions. This can result in bypass of RBAC rules when configured using the `uri_template` permissions. This vulnerability is fixed in Envoy versions v1.34.1, v1.33.3, v1.32.6, v1.31.8. As a workaround, configure additional RBAC permissions using `url_path` with `safe_regex` expression.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Envoy Proxy	<1.31.8

Never miss a vulnerability like this again

Reference Links

https://github.com/envoyproxy/envoy/security/advisories/GHSA-c7cm-838g-6g67

Frequently Asked Questions

What is the severity of CVE-2025-46821?
CVE-2025-46821 has a severity rating of medium due to the potential impact on URI path matching in Envoy.
How do I fix CVE-2025-46821?
To fix CVE-2025-46821, upgrade Envoy to versions 1.34.1, 1.33.3, 1.32.6, or 1.31.8 or later.
What versions of Envoy are affected by CVE-2025-46821?
CVE-2025-46821 affects Envoy versions prior to 1.34.1, 1.33.3, 1.32.6, and 1.31.8.
What types of applications are vulnerable to CVE-2025-46821?
Applications using Envoy as a proxy before the patched versions are vulnerable to CVE-2025-46821.
What are the implications of CVE-2025-46821 for my deployment?
CVE-2025-46821 can lead to unexpected behavior in routing requests with `*` in the URI path, potentially affecting application functionality.

collector/mitre-cve
source/MITRE
agent/references
agent/type
agent/title
agent/weakness
agent/first-publish-date
agent/description
agent/guess-ai
agent/software-canonical-lookup
agent/softwarecombine
collector/nvd-api
source/NVD
agent/last-modified-date
agent/severity
agent/author
agent/event
collector/epss-latest
source/FIRST
agent/source
agent/tags
agent/epss
vendor/envoy
canonical/envoy proxy

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.