{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "versions": [
              {
                "introduced": "1.25.0"
              },
              {
                "fixed": "1.25.3"
              }
            ]
          },
          "events": [
            {
              "introduced": "9184b84cd0dcb3a6c57eb44b177d91c70e1a0901"
            },
            {
              "fixed": "e99d61c4596573fbea8b8a9def8b160e138a4018"
            }
          ],
          "repo": "https://github.com/envoyproxy/envoy",
          "type": "GIT"
        },
        {
          "database_specific": {
            "versions": [
              {
                "introduced": "1.24.0"
              },
              {
                "fixed": "1.24.4"
              }
            ]
          },
          "events": [
            {
              "introduced": "15baf56003f33a07e0ab44f82f75a660040db438"
            },
            {
              "fixed": "d3d04156c3b05f8b4532d44e602fdd1b430c64bb"
            }
          ],
          "repo": "https://github.com/envoyproxy/envoy",
          "type": "GIT"
        },
        {
          "database_specific": {
            "versions": [
              {
                "introduced": "1.23.0"
              },
              {
                "fixed": "1.23.6"
              }
            ]
          },
          "events": [
            {
              "introduced": "ce49c7f65668a22b80d1e83c35d170741bb8d46a"
            },
            {
              "fixed": "b2064ed660934383cece8c8d60393d5b0720ae4d"
            }
          ],
          "repo": "https://github.com/envoyproxy/envoy",
          "type": "GIT"
        },
        {
          "database_specific": {
            "versions": [
              {
                "introduced": "0"
              },
              {
                "fixed": "1.22.9"
              }
            ]
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6392d12242234948b15a0fecee629f9cf8b76cee"
            }
          ],
          "repo": "https://github.com/envoyproxy/envoy",
          "type": "GIT"
        }
      ]
    }
  ],
  "aliases": [
    "GHSA-j79q-2g66-2xv5"
  ],
  "database_specific": {
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
      "CWE-20"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/27xxx/CVE-2023-27496.json"
  },
  "details": "Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, the OAuth filter assumes that a `state` query param is present on any response that looks like an OAuth redirect response. Sending it a request with the URI path equivalent to the redirect path, without the `state` parameter, will lead to abnormal termination of Envoy process. Versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9 contain a patch. The issue can also be mitigated by locking down OAuth traffic, disabling the filter, or by filtering traffic before it reaches the OAuth filter (e.g. via a lua script). \n",
  "id": "CVE-2023-27496",
  "modified": "2026-03-13T21:49:05.059002254Z",
  "published": "2023-04-04T19:48:56.678Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/27xxx/CVE-2023-27496.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-j79q-2g66-2xv5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27496"
    }
  ],
  "schema_version": "1.7.3",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Envoy may crash when a redirect url without a state param is received in the oauth filter"
}