Envoy Off-by-One Write Vulnerability in JsonEscaper String Escaping Function

Vulnerability

A vulnerability exists in Envoy versions prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, due to an off-by-one write error in the JsonEscaper::escapeString() function. This flaw can corrupt the null-termination of std::string objects, leading to undefined behavior. When the altered string is processed as a C-string, it can cause crashes or out-of-bounds reads. The issue arises in the control-character escaping path, where improper handling of certain characters can violate string bounds, potentially allowing exploitation through request-driven paths that escape untrusted data.

Impact

Exploitation of this vulnerability can lead to undefined behavior, including crashes or out-of-bounds reads, when the manipulated string is treated as a C-string.

Reproduction

The vulnerability can be reproduced by compiling a C++ program with AddressSanitizer enabled, which will catch memory errors. The program should create a string that includes a control character, such as the character with the hexadecimal value 0x01, which is known to trigger the off-by-one write error. After the string is processed by the escapeString function, the output can be checked for proper null-termination. If the termination is corrupted, it can be demonstrated that the string can be misused in a way that leads to a memory error, such as reading past the end of the string.

Remediation

Users can upgrade to Envoy versions 1.37.1, 1.36.5, 1.35.8, or 1.34.13 to address this vulnerability.

Added: Mar 10, 2026, 8:40 PM
Updated: Mar 10, 2026, 8:40 PM

Vulnerability Rating

Custom Algorithm
spread
7.3
impact
3.1
exploitability
9.5
remediation
7.7
relevance
2.4
threat
6.4
urgency
2.9
incentive
8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.