fix(deps): vuln github.com/envoyproxy/envoy (minor → v1.37.2) [contrib/golang] by gh-worker-campaigns-3e9aa4[bot] · Pull Request #25 · DataDog/envoy

gh-worker-campaigns-3e9aa4 · 2026-04-23T10:13:54Z

Summary: High-severity security update — 5 packages upgraded (MINOR changes included)

Manifests changed:

contrib/golang (go)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
github.com/envoyproxy/envoy	v1.24.0	v1.37.2	minor	Direct	2 HIGH, 12 MODERATE, 2 LOW
github.com/envoyproxy/envoy	v1.36.2	v1.36.6	patch	Direct	2 HIGH, 12 MODERATE, 2 LOW
github.com/envoyproxy/envoy	v1.36.2	v1.36.6	patch	Direct	2 HIGH, 12 MODERATE, 2 LOW
github.com/envoyproxy/envoy	v1.33.2	v1.37.2	minor	Direct	2 HIGH, 10 MODERATE, 2 LOW
github.com/envoyproxy/envoy	v1.33.2	v1.37.2	minor	Direct	2 HIGH, 10 MODERATE, 2 LOW

Security Details

🚨 Critical & High Severity (10 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
github.com/envoyproxy/envoy	GHSA-ghc4-35x6-crw5	HIGH	Envoy has RBAC Header Validation Bypass via Multi-Value Header Concatenation	v1.24.0	1.37.1
github.com/envoyproxy/envoy	CVE-2026-26308	HIGH	Envoy has an RBAC Header Validation Bypass via Multi-Value Header Concatenation	v1.24.0	-
github.com/envoyproxy/envoy	GHSA-ghc4-35x6-crw5	HIGH	Envoy has RBAC Header Validation Bypass via Multi-Value Header Concatenation	v1.36.2	1.37.1
github.com/envoyproxy/envoy	CVE-2026-26308	HIGH	Envoy has an RBAC Header Validation Bypass via Multi-Value Header Concatenation	v1.36.2	-
github.com/envoyproxy/envoy	CVE-2026-26308	HIGH	Envoy has an RBAC Header Validation Bypass via Multi-Value Header Concatenation	v1.33.2	-
github.com/envoyproxy/envoy	GHSA-ghc4-35x6-crw5	HIGH	Envoy has RBAC Header Validation Bypass via Multi-Value Header Concatenation	v1.33.2	1.37.1
github.com/envoyproxy/envoy	CVE-2026-26308	HIGH	Envoy has an RBAC Header Validation Bypass via Multi-Value Header Concatenation	v1.36.2	-
github.com/envoyproxy/envoy	GHSA-ghc4-35x6-crw5	HIGH	Envoy has RBAC Header Validation Bypass via Multi-Value Header Concatenation	v1.36.2	1.37.1
github.com/envoyproxy/envoy	CVE-2026-26308	HIGH	Envoy has an RBAC Header Validation Bypass via Multi-Value Header Concatenation	v1.33.2	-
github.com/envoyproxy/envoy	GHSA-ghc4-35x6-crw5	HIGH	Envoy has RBAC Header Validation Bypass via Multi-Value Header Concatenation	v1.33.2	1.37.1

ℹ️ Other Vulnerabilities (66)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
github.com/envoyproxy/envoy	GHSA-rwjg-c3h2-f57p	MODERATE	Envoy's TLS certificate matcher for `match_typed_subject_alt_names` may incorrectly treat certificates containing an embedded null byte	v1.24.0	1.36.3
github.com/envoyproxy/envoy	CVE-2025-66220	MODERATE	Envoy’s TLS certificate matcher for `match_typed_subject_alt_names` may incorrectly treat certificates containing an embedded null byte	v1.24.0	-
github.com/envoyproxy/envoy	GHSA-cf3q-gqg7-3fm9	MODERATE	Envoy crashes when HTTP ext_proc processes local replies	v1.24.0	1.30.10
github.com/envoyproxy/envoy	CVE-2025-30157	MODERATE	Envoy crashes when HTTP ext_proc processes local replies	v1.24.0	-
github.com/envoyproxy/envoy	GHSA-84xm-r438-86px	MODERATE	Envoy: HTTP - filter chain execution on reset streams causing UAF crash	v1.24.0	-
github.com/envoyproxy/envoy	CVE-2026-26311	MODERATE	Envoy HTTP: filter chain execution on reset streams causing UAF crash	v1.24.0	-
github.com/envoyproxy/envoy	GHSA-mp85-7mrq-r866	MODERATE	Envoy crashes when JWT authentication is configured with the remote JWKS fetching	v1.24.0	1.36.3
github.com/envoyproxy/envoy	CVE-2026-26310	MODERATE	Crash for scoped ip address in Envoy during DNS	v1.24.0	-
github.com/envoyproxy/envoy	GHSA-3cw6-2j68-868p	MODERATE	Envoy vulnerable to crash for scoped ip address during DNS	v1.24.0	-
github.com/envoyproxy/envoy	CVE-2026-26309	MODERATE	Envoy has an off-by-one write in JsonEscaper::escapeString()	v1.24.0	-
github.com/envoyproxy/envoy	GHSA-56cj-wgg3-x943	MODERATE	Envoy affected by off-by-one write in JsonEscaper::escapeString()	v1.24.0	-
github.com/envoyproxy/envoy	CVE-2025-64527	MODERATE	Envoy crashes when JWT authentication is configured with the remote JWKS fetching	v1.24.0	-
github.com/envoyproxy/envoy	GHSA-c23c-rp3m-vpg3	MODERATE	Envoy's global rate limit may crash when the response phase limit is enabled and the response phase request is failed directly	v1.36.2	-
github.com/envoyproxy/envoy	CVE-2026-26311	MODERATE	Envoy HTTP: filter chain execution on reset streams causing UAF crash	v1.36.2	-
github.com/envoyproxy/envoy	GHSA-56cj-wgg3-x943	MODERATE	Envoy affected by off-by-one write in JsonEscaper::escapeString()	v1.36.2	-
github.com/envoyproxy/envoy	CVE-2026-26309	MODERATE	Envoy has an off-by-one write in JsonEscaper::escapeString()	v1.36.2	-
github.com/envoyproxy/envoy	GHSA-rwjg-c3h2-f57p	MODERATE	Envoy's TLS certificate matcher for `match_typed_subject_alt_names` may incorrectly treat certificates containing an embedded null byte	v1.36.2	1.36.3
github.com/envoyproxy/envoy	CVE-2025-66220	MODERATE	Envoy’s TLS certificate matcher for `match_typed_subject_alt_names` may incorrectly treat certificates containing an embedded null byte	v1.36.2	-
github.com/envoyproxy/envoy	GHSA-84xm-r438-86px	MODERATE	Envoy: HTTP - filter chain execution on reset streams causing UAF crash	v1.36.2	-
github.com/envoyproxy/envoy	CVE-2026-26310	MODERATE	Crash for scoped ip address in Envoy during DNS	v1.36.2	-
github.com/envoyproxy/envoy	GHSA-mp85-7mrq-r866	MODERATE	Envoy crashes when JWT authentication is configured with the remote JWKS fetching	v1.36.2	1.36.3
github.com/envoyproxy/envoy	CVE-2025-64527	MODERATE	Envoy crashes when JWT authentication is configured with the remote JWKS fetching	v1.36.2	-
github.com/envoyproxy/envoy	GHSA-3cw6-2j68-868p	MODERATE	Envoy vulnerable to crash for scoped ip address during DNS	v1.36.2	-
github.com/envoyproxy/envoy	CVE-2026-26330	MODERATE	Envoy global rate limit may crash when the response phase limit is enabled and the response phase request is failed directly	v1.36.2	-
github.com/envoyproxy/envoy	GHSA-rwjg-c3h2-f57p	MODERATE	Envoy's TLS certificate matcher for `match_typed_subject_alt_names` may incorrectly treat certificates containing an embedded null byte	v1.33.2	1.36.3
github.com/envoyproxy/envoy	CVE-2026-26310	MODERATE	Crash for scoped ip address in Envoy during DNS	v1.33.2	-
github.com/envoyproxy/envoy	GHSA-84xm-r438-86px	MODERATE	Envoy: HTTP - filter chain execution on reset streams causing UAF crash	v1.33.2	-
github.com/envoyproxy/envoy	CVE-2026-26311	MODERATE	Envoy HTTP: filter chain execution on reset streams causing UAF crash	v1.33.2	-
github.com/envoyproxy/envoy	GHSA-mp85-7mrq-r866	MODERATE	Envoy crashes when JWT authentication is configured with the remote JWKS fetching	v1.33.2	1.36.3
github.com/envoyproxy/envoy	CVE-2025-66220	MODERATE	Envoy’s TLS certificate matcher for `match_typed_subject_alt_names` may incorrectly treat certificates containing an embedded null byte	v1.33.2	-
github.com/envoyproxy/envoy	CVE-2025-64527	MODERATE	Envoy crashes when JWT authentication is configured with the remote JWKS fetching	v1.33.2	-
github.com/envoyproxy/envoy	GHSA-3cw6-2j68-868p	MODERATE	Envoy vulnerable to crash for scoped ip address during DNS	v1.33.2	-
github.com/envoyproxy/envoy	GHSA-56cj-wgg3-x943	MODERATE	Envoy affected by off-by-one write in JsonEscaper::escapeString()	v1.33.2	-
github.com/envoyproxy/envoy	CVE-2026-26309	MODERATE	Envoy has an off-by-one write in JsonEscaper::escapeString()	v1.33.2	-
github.com/envoyproxy/envoy	CVE-2026-26309	MODERATE	Envoy has an off-by-one write in JsonEscaper::escapeString()	v1.36.2	-
github.com/envoyproxy/envoy	GHSA-mp85-7mrq-r866	MODERATE	Envoy crashes when JWT authentication is configured with the remote JWKS fetching	v1.36.2	1.36.3
github.com/envoyproxy/envoy	GHSA-c23c-rp3m-vpg3	MODERATE	Envoy's global rate limit may crash when the response phase limit is enabled and the response phase request is failed directly	v1.36.2	-
github.com/envoyproxy/envoy	CVE-2026-26330	MODERATE	Envoy global rate limit may crash when the response phase limit is enabled and the response phase request is failed directly	v1.36.2	-
github.com/envoyproxy/envoy	GHSA-3cw6-2j68-868p	MODERATE	Envoy vulnerable to crash for scoped ip address during DNS	v1.36.2	-
github.com/envoyproxy/envoy	CVE-2026-26310	MODERATE	Crash for scoped ip address in Envoy during DNS	v1.36.2	-
github.com/envoyproxy/envoy	GHSA-84xm-r438-86px	MODERATE	Envoy: HTTP - filter chain execution on reset streams causing UAF crash	v1.36.2	-
github.com/envoyproxy/envoy	CVE-2026-26311	MODERATE	Envoy HTTP: filter chain execution on reset streams causing UAF crash	v1.36.2	-
github.com/envoyproxy/envoy	CVE-2025-64527	MODERATE	Envoy crashes when JWT authentication is configured with the remote JWKS fetching	v1.36.2	-
github.com/envoyproxy/envoy	CVE-2025-66220	MODERATE	Envoy’s TLS certificate matcher for `match_typed_subject_alt_names` may incorrectly treat certificates containing an embedded null byte	v1.36.2	-
github.com/envoyproxy/envoy	GHSA-56cj-wgg3-x943	MODERATE	Envoy affected by off-by-one write in JsonEscaper::escapeString()	v1.36.2	-
github.com/envoyproxy/envoy	GHSA-rwjg-c3h2-f57p	MODERATE	Envoy's TLS certificate matcher for `match_typed_subject_alt_names` may incorrectly treat certificates containing an embedded null byte	v1.36.2	1.36.3
github.com/envoyproxy/envoy	CVE-2026-26309	MODERATE	Envoy has an off-by-one write in JsonEscaper::escapeString()	v1.33.2	-
github.com/envoyproxy/envoy	GHSA-56cj-wgg3-x943	MODERATE	Envoy affected by off-by-one write in JsonEscaper::escapeString()	v1.33.2	-
github.com/envoyproxy/envoy	CVE-2025-66220	MODERATE	Envoy’s TLS certificate matcher for `match_typed_subject_alt_names` may incorrectly treat certificates containing an embedded null byte	v1.33.2	-
github.com/envoyproxy/envoy	GHSA-rwjg-c3h2-f57p	MODERATE	Envoy's TLS certificate matcher for `match_typed_subject_alt_names` may incorrectly treat certificates containing an embedded null byte	v1.33.2	1.36.3
github.com/envoyproxy/envoy	GHSA-3cw6-2j68-868p	MODERATE	Envoy vulnerable to crash for scoped ip address during DNS	v1.33.2	-
github.com/envoyproxy/envoy	CVE-2026-26310	MODERATE	Crash for scoped ip address in Envoy during DNS	v1.33.2	-
github.com/envoyproxy/envoy	GHSA-mp85-7mrq-r866	MODERATE	Envoy crashes when JWT authentication is configured with the remote JWKS fetching	v1.33.2	1.36.3
github.com/envoyproxy/envoy	CVE-2025-64527	MODERATE	Envoy crashes when JWT authentication is configured with the remote JWKS fetching	v1.33.2	-
github.com/envoyproxy/envoy	GHSA-84xm-r438-86px	MODERATE	Envoy: HTTP - filter chain execution on reset streams causing UAF crash	v1.33.2	-
github.com/envoyproxy/envoy	CVE-2026-26311	MODERATE	Envoy HTTP: filter chain execution on reset streams causing UAF crash	v1.33.2	-
github.com/envoyproxy/envoy	CVE-2025-64763	LOW	Envoy forwards early CONNECT data in TCP proxy mode	v1.24.0	-
github.com/envoyproxy/envoy	GHSA-rj35-4m94-77jh	LOW	Envoy forwards early CONNECT data in TCP proxy mode	v1.24.0	1.36.3
github.com/envoyproxy/envoy	GHSA-rj35-4m94-77jh	LOW	Envoy forwards early CONNECT data in TCP proxy mode	v1.36.2	1.36.3
github.com/envoyproxy/envoy	CVE-2025-64763	LOW	Envoy forwards early CONNECT data in TCP proxy mode	v1.36.2	-
github.com/envoyproxy/envoy	CVE-2025-64763	LOW	Envoy forwards early CONNECT data in TCP proxy mode	v1.33.2	-
github.com/envoyproxy/envoy	GHSA-rj35-4m94-77jh	LOW	Envoy forwards early CONNECT data in TCP proxy mode	v1.33.2	1.36.3
github.com/envoyproxy/envoy	CVE-2025-64763	LOW	Envoy forwards early CONNECT data in TCP proxy mode	v1.36.2	-
github.com/envoyproxy/envoy	GHSA-rj35-4m94-77jh	LOW	Envoy forwards early CONNECT data in TCP proxy mode	v1.36.2	1.36.3
github.com/envoyproxy/envoy	GHSA-rj35-4m94-77jh	LOW	Envoy forwards early CONNECT data in TCP proxy mode	v1.33.2	1.36.3
github.com/envoyproxy/envoy	CVE-2025-64763	LOW	Envoy forwards early CONNECT data in TCP proxy mode	v1.33.2	-

⚠️ Dependencies that have Reached EOL (1)

Dependency	Unsafe Version	EOL Date	New Version	Path
github.com/envoyproxy/envoy	`v1.24.0`	Oct 19, 2025	`v1.37.2`	`contrib/golang/filters/http/test/test_data/dummy/go.mod`

Review Checklist

Standard review:

Review changes for compatibility with your code
Check for breaking changes in release notes
Run tests locally or wait for CI
Approve and merge this PR

Update Mode: Vulnerability Remediation (High)

🤖 Generated by DataDog Automated Dependency Management System

Executing automated changes

4a95927

gh-worker-campaigns-3e9aa4 Bot added campaigner-automated-change adms-fixes-eol adms-go adms-high-severity adms-low-severity adms-medium-severity adms-minor-update adms-mode-all-updates adms-dependency-update labels Apr 23, 2026

campaigner-prod Bot marked this pull request as ready for review April 23, 2026 13:57

HadrienPatte closed this Apr 26, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(deps): vuln github.com/envoyproxy/envoy (minor → v1.37.2) [contrib/golang]#25

fix(deps): vuln github.com/envoyproxy/envoy (minor → v1.37.2) [contrib/golang]#25
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
masterfrom
engraver-auto-version-upgrade/minorpatch/go/golang/0-1776937216

gh-worker-campaigns-3e9aa4 Bot commented Apr 23, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

gh-worker-campaigns-3e9aa4 Bot commented Apr 23, 2026

Updates

Security Details

Review Checklist

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant