7.5
CVE-2026-48042
- EPSS 0.56%
- Veröffentlicht 26.06.2026 17:29:14
- Zuletzt bearbeitet 29.06.2026 18:42:17
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Envoy: Stack overflow in destructor of highly nested JSON
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, destructor of JSON Object results in stack overflow when deeply O(100K) nested objects are present. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Envoyproxy ≫ Envoy Version >= 1.18.0 < 1.35.13
Envoyproxy ≫ Envoy Version >= 1.36.0 < 1.36.9
Envoyproxy ≫ Envoy Version >= 1.37.0 < 1.37.5
Envoyproxy ≫ Envoy Version >= 1.38.0 < 1.38.3
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.56% | 0.422 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
CWE-1124 Excessively Deep Nesting
The code contains a callable or other code grouping in which the nesting / branching is too deep.
https://github.com/envoyproxy/envoy/security/advisories/GHSA-f24p-rxw2-g6pv
https://github.com/envoyproxy/envoy/blob/099a9d71ebfd8aa9f823e1738b34138cb634a07b/source/common/json/json_loader.h#L21