CVE-2026-53713

ADVISORY - github

Summary

Impact

The to_absolute_normalized_path function (security.lua:28-43) does not collapse redundant path separators (// → /). On Linux, //etc/passwd is equivalent to /etc/passwd (POSIX path semantics), but is_critical_path fails to match the double-slash variant because //etc/passwd does not start with /etc/.

This allows Lua code submitted as an EnvoyExtensionPolicy to read arbitrary files from the gateway controller pod's filesystem during Strict validation (the default), including:

  • /etc/passwd
  • Kubernetes SA tokens via //var/run/secrets/kubernetes.io/serviceaccount/token
  • TLS certificates via //certs/...
  • Process environment via //proc/self/environ

These credentials can be used to read sensitive information from the K8s API Server or from the Gateway XDS server.

Patches

This has been patched in versions >= v1.7.4 and v1.8.1

  • Collapse redundant path separators (// to /) so double-slash variants like //etc/passwd and //var/run/secrets/... are matched by the critical-path check.
  • Rewrite the traversal check to reject any . or .. segment in any position and across both separator styles (catches /etc/./passwd, ./etc/passwd, /etc/.).

Workarounds

Please refer to the Warning section in Lua docs for measures to reduce risk.

Credits

Envoy Gateway thanks @dashingDragon and @Donjon-Cerberus for reporting this issue.

EPSS Score: 0.0004 (0.126)

Common Weakness Enumeration (CWE)

ADVISORY - github

Improper Input Validation


Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.

Sign in