Change8

v1.37.1

📦 envoyView on GitHub →
1 features🐛 11 fixes🔧 10 symbols

Summary

This release focuses heavily on security fixes across multiple components, including ratelimit, rbac, json, and http handling. It also includes several bug fixes for OAuth2, ext_proc, ext_authz, and access logging.

Migration Steps

  1. Published contrib binaries now include the `-contrib` suffix in their version string; ensure any scripts relying on the old naming convention are updated.

✨ New Features

  • Introduced extended ABI forward compatibility mechanism for dynamic modules.

🐛 Bug Fixes

  • Fixed a bug in ratelimit where response phase limit could result in a crash ([CVE-2026-26330]).
  • Fixed multivalue header bypass in rbac ([CVE-2026-26308]).
  • Fixed crash in getAddressWithPort() when called with a scoped IPv6 address ([CVE-2026-26310]).
  • Fixed an off-by-one write in json that could corrupt the string null terminator ([CVE-2026-26309]).
  • Ensured decode* methods are blocked after a downstream reset in http ([CVE-2026-26311]).
  • Fixed OAuth2 refresh requests so host rewriting no longer overrides the original `Host` header value.
  • Fixed a bug to support two ext_proc filters configured in the chain.
  • Fixed message-valued CEL attribute serialization in ext_proc to use protobuf text format instead of debug string output, restoring compatibility with protobuf 30+.
  • Fixed headers from denied authorization responses (non-200) not being properly propagated to the client in ext_authz.
  • Fixed the HTTP ext_authz client to respect `status_on_error` configuration when the authorization server returns a 5xx error or when HTTP call failures occur.
  • Fixed a crash on listener removal with a process-level access log rate limiter.

Affected Symbols

ratelimitrbacgetAddressWithPort()jsonhttp decode* methodsoauth2 refresh requestsext_proc filterCEL attribute serializationext_authz clientaccess_log rate limiter