7.5

CVE-2026-48042

Exploit

Envoy: Stack overflow in destructor of highly nested JSON

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, destructor of JSON Object results in stack overflow when deeply O(100K) nested objects are present. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
EnvoyproxyEnvoy Version >= 1.18.0 < 1.35.13
EnvoyproxyEnvoy Version >= 1.36.0 < 1.36.9
EnvoyproxyEnvoy Version >= 1.37.0 < 1.37.5
EnvoyproxyEnvoy Version >= 1.38.0 < 1.38.3
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.56% 0.422
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security-advisories@github.com 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-1124 Excessively Deep Nesting

The code contains a callable or other code grouping in which the nesting / branching is too deep.

https://github.com/envoyproxy/envoy/security/advisories/GHSA-f24p-rxw2-g6pv
Vendor Advisory
Exploit
https://github.com/envoyproxy/envoy/blob/099a9d71ebfd8aa9f823e1738b34138cb634a07b/source/common/json/json_loader.h#L21
Product