CVE-2026-53713

ADVISORY - github

Summary

Impact

The to_absolute_normalized_path function (security.lua:28-43) does not collapse redundant path separators (// → /). On Linux, //etc/passwd is equivalent to /etc/passwd (POSIX path semantics), but is_critical_path fails to match the double-slash variant because //etc/passwd does not start with /etc/.

This allows Lua code submitted as an EnvoyExtensionPolicy to read arbitrary files from the gateway controller pod's filesystem during Strict validation (the default), including:

  • /etc/passwd
  • Kubernetes SA tokens via //var/run/secrets/kubernetes.io/serviceaccount/token
  • TLS certificates via //certs/...
  • Process environment via //proc/self/environ

These credentials can be used to read sensitive information from the K8s API Server or from the Gateway XDS server.

Patches

This has been patched in versions >= v1.7.4 and v1.8.1

  • Collapse redundant path separators (// to /) so double-slash variants like //etc/passwd and //var/run/secrets/... are matched by the critical-path check.
  • Rewrite the traversal check to reject any . or .. segment in any position and across both separator styles (catches /etc/./passwd, ./etc/passwd, /etc/.).

Workarounds

Please refer to the Warning section in Lua docs for measures to reduce risk.

Credits

Envoy Gateway thanks @dashingDragon and @Donjon-Cerberus for reporting this issue.

EPSS Score: 0.0004 (0.126)

Common Weakness Enumeration (CWE)

ADVISORY - github

Improper Input Validation


GitHub

CREATED

UPDATED

EXPLOITABILITY SCORE

3.1

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)

CVSS SCORE

9.1critical