CVE-2026-48042 | Envoy is an open source edge and service proxy designed for … | CVSS 7.5 HIGH

Description

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, destructor of JSON Object results in stack overflow when deeply O(100K) nested objects are present. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.

Metadata

CVE ID: CVE-2026-48042
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-05-20 18:15 UTC
Published: 2026-06-26 17:29 UTC
Last updated: 2026-06-26 17:29 UTC
Primary CWE: CWE-1124
CWE-1124: Excessively Deep Nesting
Vendor / Product: envoyproxy / envoy
Sources: cve.org · NVD

Severity & Metrics

7.5 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products (1)

Vendor	Product	Platform	Versions
envoyproxy	envoy	—	>= 1.38.0, < 1.38.1, >= 1.37.0, < 1.37.3, >= 1.36.0, < 1.36.7, < 1.35.11

Weakness (CWE)

CWE	Source	Description
CWE-1124	cna	CWE-1124: Excessively Deep Nesting

CVSS scores (1)

Score	Severity	Version	Source	Vector
7.5	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (2)

https://github.com/envoyproxy/envoy/security/advisories/GHSA-f24p-rxw2-g6pv https://github.com/envoyproxy/envoy/security/advisories/GHSA-f24p-rxw2-g6pv
https://github.com/envoyproxy/envoy/blob/099a9d71ebfd8aa9f823e1738b34138cb634a07b/source/common/json/json_loader.h#L21 https://github.com/envoyproxy/envoy/blob/099a9d71ebfd8aa9f823e1738b34138cb634a07b/source/common/json/json_loader.h#L21