Change8

v1.36.3

📦 envoyView on GitHub →
🐛 3 fixes

Summary

This release (v1.36.3) focuses entirely on critical security fixes addressing vulnerabilities related to JWT configuration, TLS certificate matching, and request smuggling.

🐛 Bug Fixes

  • Security fix for Envoy crash when JWT authentication is configured with remote JWKS fetching ([CVE-2025-64527](https://github.com/envoyproxy/envoy/security/advisories/GHSA-mp85-7mrq-r866)).
  • Security fix for TLS certificate matcher (`match_typed_subject_alt_names`) incorrectly treating certificates with an embedded null byte ([CVE-2025-66220](https://github.com/envoyproxy/envoy/security/advisories/GHSA-rwjg-c3h2-f57p)).
  • Security fix addressing potential request smuggling from early data after the CONNECT upgrade ([CVE-2025-64763](https://github.com/envoyproxy/envoy/security/advisories/GHSA-rj35-4m94-77jh)).