VDB
KO
MEDIUM 6.5

GHSA-m2v6-2jmh-4c68

Envoy Gateway: Nil-dereference when SecurityPolicy targets TCPRoute without spec.authorization

Details

Vulnerability report without repro case. Repro case may be added later after harness is complete.

**Preconditions (4):** - Tenant has SecurityPolicy + TCPRoute RBAC (baseline) - Tenant namespace permitted to attach TCPRoute to a Gateway listener - spec.authorization omitted (the trigger) - No admission webhook blocks the shape

**Description:**

A namespace-scoped tenant can deterministically panic the gatewayapi runner on every reconcile with a single CRD; the recover() in message/watchutil.go:53 keeps the process alive but unwinds the entire handle() callback in runner/runner.go:192, so xDS/Infra IR publishing stalls controller-wide until an admin deletes the object. Data plane keeps serving last-good config.

Are you affected?

Enter the version of the package you're using.

Affected packages

Go / github.com/envoyproxy/gateway
Introduced in: 1.8.0-rc.0 Fixed in: 1.8.1
Fix go get github.com/envoyproxy/gateway@v1.8.1
Go / github.com/envoyproxy/gateway
Introduced in: 0 Fixed in: 1.7.4
Fix go get github.com/envoyproxy/gateway@v1.7.4

References