Change8

v1.35.7

📦 envoyView on GitHub →
🐛 3 fixes

Summary

This patch release (v1.35.7) focuses primarily on addressing three critical security vulnerabilities related to JWT authentication, TLS certificate matching, and request smuggling.

🐛 Bug Fixes

  • Fixed a crash when JWT authentication is configured with remote JWKS fetching ([CVE-2025-64527]).
  • Fixed an issue where the TLS certificate matcher for `match_typed_subject_alt_names` could incorrectly treat certificates containing an embedded null byte ([CVE-2025-66220]).
  • Fixed potential request smuggling vulnerability arising from early data after the CONNECT upgrade ([CVE-2025-64763]).