v1.37.1

Summary of changes:

• Security fixes:

  • CVE-2026-26330: ratelimit: fix a bug where response phase limit may result in crash
  • CVE-2026-26308: fix multivalue header bypass in rbac
  • CVE-2026-26310: network: fix crash in getAddressWithPort() when called with a scoped IPv6 address
  • CVE-2026-26309: json: fixed an off-by-one write that could corrupted the string null terminator
  • CVE-2026-26311: http: ensure decode* methods are blocked after a downstream reset

• Bug fixes:

  • oauth2: Fixed OAuth2 refresh requests so host rewriting no longer overrides the original Host header value.
  • ext_proc: Fixed a bug to support two ext_proc filters configured in the chain.
  • ext_proc: Fixed message-valued CEL attribute serialization to use protobuf text format instead of debug string output, restoring compatibility with protobuf 30+.
  • ext_authz: Fixed headers from denied authorization responses (non-200) not being properly propagated to the client.
  • ext_authz: Fixed the HTTP ext_authz client to respect status_on_error configuration when the authorization server returns a 5xx error or when HTTP call failures occur.
  • access_log: Fixed a crash on listener removal with a process-level access log rate limiter.

• Other changes:

  • release: Published contrib binaries now include the -contrib suffix in their version string and fixed distroless-contrib images.
  • dynamic modules: Introduced extended ABI forward compatibility mechanism for dynamic modules.

• Dependency updates:

  • Migrated googleurl source to GitHub (google/gurl).
  • Updated Kafka test binary to 3.9.2.
  • Updated Docker base images.

Docker images:
https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.37.1
Docs:
https://www.envoyproxy.io/docs/envoy/v1.37.1/
Release notes:
https://www.envoyproxy.io/docs/envoy/v1.37.1/version_history/v1.37/v1.37.1
Full changelog:
v1.37.0...v1.37.1

Signed-off-by: Ryan Northey [email protected]
Signed-off-by: Boteng Yao [email protected]

v1.36.5

Summary of changes:

• Security fixes:

  • CVE-2026-26330: ratelimit: fix a bug where response phase limit may result in crash
  • CVE-2026-26308: fix multivalue header bypass in rbac
  • CVE-2026-26310: network: fix crash in getAddressWithPort() when called with a scoped IPv6 address
  • CVE-2026-26309: json: fixed an off-by-one write that could corrupted the string null terminator
  • CVE-2026-26311: http: ensure decode* methods are blocked after a downstream reset

• Bug fix:

  • Fixed OAuth2 refresh requests so host rewriting no longer overrides the original Host value.

• Dependency updates:

  • Migrated googleurl source to GitHub (google/gurl).
  • Updated Kafka test binary to 3.9.2.
  • Updated Docker base images.

Docker images:
https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.36.5
Docs:
https://www.envoyproxy.io/docs/envoy/v1.36.5/
Release notes:
https://www.envoyproxy.io/docs/envoy/v1.36.5/version_history/v1.36/v1.36.5
Full changelog:
v1.36.4...v1.36.5

Signed-off-by: Ryan Northey [email protected]
Signed-off-by: Boteng Yao [email protected]

v1.35.9

Summary of changes:

• Security fixes:

  • CVE-2026-26308: fix multivalue header bypass in rbac
  • CVE-2026-26310: network: fix crash in getAddressWithPort() when called with a scoped IPv6 address
  • CVE-2026-26309: json: fixed an off-by-one write that could corrupted the string null terminator
  • CVE-2026-26311: http: ensure decode* methods are blocked after a downstream reset

• Bug fix:

  • Fixed OAuth2 refresh requests so host rewriting no longer overrides the original Host value.

• Dependency updates:

  • Migrated googleurl source to GitHub (google/gurl).
  • Updated Kafka test binary to 3.9.2.
  • Updated Docker base images.

Docker images:
https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.35.9
Docs:
https://www.envoyproxy.io/docs/envoy/v1.35.9/
Release notes:
https://www.envoyproxy.io/docs/envoy/v1.35.9/version_history/v1.35/v1.35.9
Full changelog:
v1.35.8...v1.35.9

Signed-off-by: Ryan Northey [email protected]
Signed-off-by: Boteng Yao [email protected]

v1.34.13

Summary of changes:

• Security fixes:

  • CVE-2026-26308: fix multivalue header bypass in rbac
  • CVE-2026-26310: network: fix crash in getAddressWithPort() when called with a scoped IPv6 address
  • CVE-2026-26309: json: fixed an off-by-one write that could corrupted the string null terminator
  • CVE-2026-26311: http: ensure decode* methods are blocked after a downstream reset

• Bug fix:

  • Fixed OAuth2 refresh requests so host rewriting no longer overrides the original Host value.

• Dependency updates:

  • Migrated googleurl source to GitHub (google/gurl).
  • Updated Kafka test binary to 3.9.2.
  • Updated Docker base images.

Docker images:
https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.34.13
Docs:
https://www.envoyproxy.io/docs/envoy/v1.34.13/
Release notes:
https://www.envoyproxy.io/docs/envoy/v1.34.13/version_history/v1.34/v1.34.13
Full changelog:
v1.34.12...v1.34.13

Signed-off-by: Ryan Northey [email protected]
Signed-off-by: Boteng Yao [email protected]

v1.37.0

Summary of changes

Dynamic modules expansion

• Added support for network, listener, UDP listener, and access logger filters
• Introduced streaming HTTP callouts to HTTP filters
• Enhanced ABI for streaming body manipulation and header operations
• Added global module loading and improved module search path handling

HTTP and protocol enhancements

• Container-aware CPU detection for improved resource utilization in containerized environments
• HTTP/2 performance optimizations including reduced allocations for well-known headers
• Enhanced cookie matching in route configuration
• Added vhost header customization and forward client cert matching via xDS matcher

Filter ecosystem growth

• New transform filter for request/response body modification
• New MCP (Model Context Protocol) filter and router for agentic network
• Network-layer geoip filter for non-HTTP geolocation
• Postgres Inspector listener filter for PostgreSQL traffic routing

Security and authorization

• Proto API Scrubber filter now production-ready with comprehensive metrics
• Enhanced ext_authz with error response support and improved header handling
• Better TLS certificate validation failure messages in access logs
• On-demand certificate fetching via SDS

Composite filter improvements

• Support for filter chains and named filter chains
• Improved scalability through filter chain reuse across match actions

Observability

• New stats-based access logger
• Process-level rate limiting for access logs
• Enhanced OTLP stats sink with metric dropping support
• Added execution counters and improved tracing support across filters

Router and traffic management

• Cluster-level retry policies, hash policies, and request mirroring
• Composite cluster extension for retry-aware cluster selection
• Substitution formatting for direct response bodies and descriptor values

Other notable changes

• Fixed multiple memory leaks and crashes in HTTP/2, Lua, and connection handling
• Improved QUIC path migration using QUICHE logic
• Enhanced TCP proxy with upstream connect mode and early data buffering
• Added MaxMind Country database support for geoip

Breaking changes

• Changed default HTTP reset code from NO_ERROR to INTERNAL_ERROR
• Changed reset behavior to ignore upstream protocol errors by default
• Proto API Scrubber now returns 404 Not Found instead of 403 Forbidden for blocked methods
• Removed multiple runtime guards and legacy code paths

Deprecations

• OpenTelemetry access log common_config field deprecated in favor of explicit http_service/grpc_service configuration

---

Docker images:
https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.37.0
Docs:
https://www.envoyproxy.io/docs/envoy/v1.37.0/
Release notes:
https://www.envoyproxy.io/docs/envoy/v1.37.0/version_history/v1.37/v1.37.0
Full changelog:
v1.36.0...v1.37.0

Signed-off-by: Ryan Northey [email protected]
Signed-off-by: Boteng Yao [email protected]

v1.36.4

Summary of changes:

• Security updates:

  Resolve dependency CVEs:

  • c-ares/CVE-2025-0913:
    Use after free can crash Envoy due to malfunctioning or compromised DNS.

While a potentially severe bug in some cloud environments, this has limited exploitability
as any attacker would require control of DNS.

Envoy advisory is here GHSA-fg9g-pvc4-776f

Docker images:
https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.36.4
Docs:
https://www.envoyproxy.io/docs/envoy/v1.36.4/
Release notes:
https://www.envoyproxy.io/docs/envoy/v1.36.4/version_history/v1.36/v1.36.4
Full changelog:
v1.36.3...v1.36.4

Signed-off-by: Ryan Northey [email protected]
Signed-off-by: Boteng Yao [email protected]

v1.35.8

Summary of changes:

• Security updates:

  Resolve dependency CVEs:

  • c-ares/CVE-2025-0913:
    Use after free can crash Envoy due to malfunctioning or compromised DNS.

While a potentially severe bug in some cloud environments, this has limited exploitability
as any attacker would require control of DNS.

Envoy advisory is here GHSA-fg9g-pvc4-776f

Docker images:
https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.35.8
Docs:
https://www.envoyproxy.io/docs/envoy/v1.35.8/
Release notes:
https://www.envoyproxy.io/docs/envoy/v1.35.8/version_history/v1.35/v1.35.8
Full changelog:
v1.35.7...v1.35.8

Signed-off-by: Ryan Northey [email protected]
Signed-off-by: Boteng Yao [email protected]

v1.34.12

Summary of changes:

• Security updates:

  Resolve dependency CVEs:

  • c-ares/CVE-2025-0913:
    Use after free can crash Envoy due to malfunctioning or compromised DNS.

While a potentially severe bug in some cloud environments, this has limited exploitability
as any attacker would require control of DNS.

Envoy advisory is here GHSA-fg9g-pvc4-776f

Docker images:
https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.34.12
Docs:
https://www.envoyproxy.io/docs/envoy/v1.34.12/
Release notes:
https://www.envoyproxy.io/docs/envoy/v1.34.12/version_history/v1.34/v1.34.12
Full changelog:
v1.34.11...v1.34.12

Signed-off-by: Ryan Northey [email protected]
Signed-off-by: Boteng Yao [email protected]

v1.33.14

Summary of changes:

• Security updates:

  Resolve dependency CVEs:

  • c-ares/CVE-2025-0913:
    Use after free can crash Envoy due to malfunctioning or compromised DNS.

While a potentially severe bug in some cloud environments, this has limited exploitability
as any attacker would require control of DNS.

Envoy advisory is here GHSA-fg9g-pvc4-776f

Docker images:
https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.33.14
Docs:
https://www.envoyproxy.io/docs/envoy/v1.33.14/
Release notes:
https://www.envoyproxy.io/docs/envoy/v1.33.14/version_history/v1.33/v1.33.14
Full changelog:
v1.33.13...v1.33.14

Signed-off-by: Ryan Northey [email protected]
Signed-off-by: Boteng Yao [email protected]

v1.36.3

Summary of changes:

• Security fixes:
  • CVE-2025-64527: Envoy crashes when JWT authentication is configured with the remote JWKS fetching
  • CVE-2025-66220: TLS certificate matcher for match_typed_subject_alt_names may incorrectly treat certificates containing an embedded null byte
  • CVE-2025-64763: Potential request smuggling from early data after the CONNECT upgrade

Docker images:
https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.36.3
Docs:
https://www.envoyproxy.io/docs/envoy/v1.36.3/
Release notes:
https://www.envoyproxy.io/docs/envoy/v1.36.3/version_history/v1.36/v1.36.3
Full changelog:
v1.36.2...v1.36.3

Signed-off-by: Ryan Northey [email protected]
Signed-off-by: Boteng Yao [email protected]