v1.37.5
Breaking Changes📦 envoyView on GitHub →
⚠ 1 breaking🐛 16 fixes🔧 1 symbols
Summary
Release v1.37.5 focuses heavily on security, addressing numerous CVEs across various components including Authz, HTTP/3, OAuth2, and Zstd decompression. Additionally, the Intel DLB connection balancer extension was disabled due to upstream source archive issues.
⚠️ Breaking Changes
- The contrib extension "envoy.network.connection_balance.dlb" (Intel DLB connection balancer) has been disabled at the Bazel layer for all builds and platforms due to a source archive breakage. Users relying on this extension must use local workarounds as described in https://github.com/envoyproxy/envoy/issues/45491.
Migration Steps
- If you were using the Intel DLB connection balancer extension, you must implement local workarounds as described in https://github.com/envoyproxy/envoy/issues/45491, as the extension is disabled by default.
🐛 Bug Fixes
- Fixed Authz per route crash ([CVE-2026-47205](https://github.com/envoyproxy/envoy/security/advisories/GHSA-mvh9-767w-x47j)).
- Fixed ext_proc response in one gRPC message issue ([CVE-2026-47207](https://github.com/envoyproxy/envoy/security/advisories/GHSA-68cv-hq5f-g6xv)).
- Fixed router internal redirects crash ([CVE-2026-47221](https://github.com/envoyproxy/envoy/security/advisories/GHSA-rcff-gw58-pjpr)).
- Fixed REQUESTED_SERVER_NAME crash ([CVE-2026-47220](https://github.com/envoyproxy/envoy/security/advisories/GHSA-j9wh-4qfm-wf2v)).
- Fixed OAuth2 code verifier padding oracle vulnerability ([CVE-2026-47775](https://github.com/envoyproxy/envoy/security/advisories/GHSA-396h-jpq4-vc7p)).
- Fixed zstd RLE zip bomb vulnerability ([CVE-2026-48044](https://github.com/envoyproxy/envoy/security/advisories/GHSA-m3p9-47wh-88wg)).
- Fixed grpc_stats filter segfault on Connect protocol requests to direct_response routes ([CVE-2026-47204](https://github.com/envoyproxy/envoy/security/advisories/GHSA-3jxh-8p6x-7pf6)).
- Fixed PROXY Protocol v2 header generator emitting "skipped" TLVs, causing 65 KB attacker-controlled spillover ([CVE-2026-47692](https://github.com/envoyproxy/envoy/security/advisories/GHSA-wh36-hm39-mm3r)).
- Fixed Embedded NUL in TLS SAN Truncation leading to Auth Bypass ([CVE-2026-47778](https://github.com/envoyproxy/envoy/security/advisories/GHSA-f8x4-rw5x-f3r7)).
- Fixed Stack overflow in destructor of highly nested JSON ([CVE-2026-48042](https://github.com/envoyproxy/envoy/security/advisories/GHSA-f24p-rxw2-g6pv)).
- Fixed OAuth2 filter late async token completion after stream teardown risk ([CVE-2026-48090](https://github.com/envoyproxy/envoy/security/advisories/GHSA-3cj2-c63f-q26f)).
- Fixed Abnormal process termination in DNS UDP filter ([CVE-2026-48497](https://github.com/envoyproxy/envoy/security/advisories/GHSA-j6g2-wf95-q66q)).
- Fixed HTTP/3 to HTTP/1 request smuggling via headers-only request with nonzero Content-Length ([CVE-2026-48743](https://github.com/envoyproxy/envoy/security/advisories/GHSA-8phg-2h2q-jgxf)).
- Fixed Envoy Heap Buffer Overflow in TcpStatsdSink ([CVE-2026-48706](https://github.com/envoyproxy/envoy/security/advisories/GHSA-7q3f-gwg7-j8g4)).
- Fixed Denial-of-Service Attack Against the HTTP/3 Stack via QPACK Blocked Decoding ([GHSA-p7c7-7c47-pwch]).
- Upstream fix: bumped ``com_github_wasmtime`` to resolve CVE-2026-47261.