Releases: envoyproxy/envoy
v1.37.0
Summary of changes
Dynamic modules expansion
- Added support for network, listener, UDP listener, and access logger filters
- Introduced streaming HTTP callouts to HTTP filters
- Enhanced ABI for streaming body manipulation and header operations
- Added global module loading and improved module search path handling
HTTP and protocol enhancements
- Container-aware CPU detection for improved resource utilization in containerized environments
- HTTP/2 performance optimizations including reduced allocations for well-known headers
- Enhanced cookie matching in route configuration
- Added vhost header customization and forward client cert matching via xDS matcher
Filter ecosystem growth
- New transform filter for request/response body modification
- New MCP (Model Context Protocol) filter and router for agentic network
- Network-layer geoip filter for non-HTTP geolocation
- Postgres Inspector listener filter for PostgreSQL traffic routing
Security and authorization
- Proto API Scrubber filter now production-ready with comprehensive metrics
- Enhanced ext_authz with error response support and improved header handling
- Better TLS certificate validation failure messages in access logs
- On-demand certificate fetching via SDS
Composite filter improvements
- Support for filter chains and named filter chains
- Improved scalability through filter chain reuse across match actions
Observability
- New stats-based access logger
- Process-level rate limiting for access logs
- Enhanced OTLP stats sink with metric dropping support
- Added execution counters and improved tracing support across filters
Router and traffic management
- Cluster-level retry policies, hash policies, and request mirroring
- Composite cluster extension for retry-aware cluster selection
- Substitution formatting for direct response bodies and descriptor values
Other notable changes
- Fixed multiple memory leaks and crashes in HTTP/2, Lua, and connection handling
- Improved QUIC path migration using QUICHE logic
- Enhanced TCP proxy with upstream connect mode and early data buffering
- Added MaxMind Country database support for geoip
Breaking changes
- Changed default HTTP reset code from
NO_ERRORtoINTERNAL_ERROR - Changed reset behavior to ignore upstream protocol errors by default
- Proto API Scrubber now returns
404 Not Foundinstead of403 Forbiddenfor blocked methods - Removed multiple runtime guards and legacy code paths
Deprecations
- OpenTelemetry access log
common_configfield deprecated in favor of explicithttp_service/grpc_serviceconfiguration
Docker images:
https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.37.0
Docs:
https://www.envoyproxy.io/docs/envoy/v1.37.0/
Release notes:
https://www.envoyproxy.io/docs/envoy/v1.37.0/version_history/v1.37/v1.37.0
Full changelog:
v1.36.0...v1.37.0
Signed-off-by: Ryan Northey ryan@synca.io
Signed-off-by: Boteng Yao boteng@google.com
v1.36.4
Summary of changes:
-
Security updates:
Resolve dependency CVEs:
- c-ares/CVE-2025-0913:
Use after free can crash Envoy due to malfunctioning or compromised DNS.
- c-ares/CVE-2025-0913:
While a potentially severe bug in some cloud environments, this has limited exploitability
as any attacker would require control of DNS.
Envoy advisory is here GHSA-fg9g-pvc4-776f
Docker images:
https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.36.4
Docs:
https://www.envoyproxy.io/docs/envoy/v1.36.4/
Release notes:
https://www.envoyproxy.io/docs/envoy/v1.36.4/version_history/v1.36/v1.36.4
Full changelog:
v1.36.3...v1.36.4
Signed-off-by: Ryan Northey ryan@synca.io
Signed-off-by: Boteng Yao boteng@google.com
v1.35.8
Summary of changes:
-
Security updates:
Resolve dependency CVEs:
- c-ares/CVE-2025-0913:
Use after free can crash Envoy due to malfunctioning or compromised DNS.
- c-ares/CVE-2025-0913:
While a potentially severe bug in some cloud environments, this has limited exploitability
as any attacker would require control of DNS.
Envoy advisory is here GHSA-fg9g-pvc4-776f
Docker images:
https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.35.8
Docs:
https://www.envoyproxy.io/docs/envoy/v1.35.8/
Release notes:
https://www.envoyproxy.io/docs/envoy/v1.35.8/version_history/v1.35/v1.35.8
Full changelog:
v1.35.7...v1.35.8
Signed-off-by: Ryan Northey ryan@synca.io
Signed-off-by: Boteng Yao boteng@google.com
v1.34.12
Summary of changes:
-
Security updates:
Resolve dependency CVEs:
- c-ares/CVE-2025-0913:
Use after free can crash Envoy due to malfunctioning or compromised DNS.
- c-ares/CVE-2025-0913:
While a potentially severe bug in some cloud environments, this has limited exploitability
as any attacker would require control of DNS.
Envoy advisory is here GHSA-fg9g-pvc4-776f
Docker images:
https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.34.12
Docs:
https://www.envoyproxy.io/docs/envoy/v1.34.12/
Release notes:
https://www.envoyproxy.io/docs/envoy/v1.34.12/version_history/v1.34/v1.34.12
Full changelog:
v1.34.11...v1.34.12
Signed-off-by: Ryan Northey ryan@synca.io
Signed-off-by: Boteng Yao boteng@google.com
v1.33.14
Summary of changes:
-
Security updates:
Resolve dependency CVEs:
- c-ares/CVE-2025-0913:
Use after free can crash Envoy due to malfunctioning or compromised DNS.
- c-ares/CVE-2025-0913:
While a potentially severe bug in some cloud environments, this has limited exploitability
as any attacker would require control of DNS.
Envoy advisory is here GHSA-fg9g-pvc4-776f
Docker images:
https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.33.14
Docs:
https://www.envoyproxy.io/docs/envoy/v1.33.14/
Release notes:
https://www.envoyproxy.io/docs/envoy/v1.33.14/version_history/v1.33/v1.33.14
Full changelog:
v1.33.13...v1.33.14
Signed-off-by: Ryan Northey ryan@synca.io
Signed-off-by: Boteng Yao boteng@google.com
v1.36.3
Summary of changes:
- Security fixes:
- CVE-2025-64527: Envoy crashes when JWT authentication is configured with the remote JWKS fetching
- CVE-2025-66220: TLS certificate matcher for
match_typed_subject_alt_namesmay incorrectly treat certificates containing an embedded null byte - CVE-2025-64763: Potential request smuggling from early data after the CONNECT upgrade
Docker images:
https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.36.3
Docs:
https://www.envoyproxy.io/docs/envoy/v1.36.3/
Release notes:
https://www.envoyproxy.io/docs/envoy/v1.36.3/version_history/v1.36/v1.36.3
Full changelog:
v1.36.2...v1.36.3
Signed-off-by: Ryan Northey ryan@synca.io
Signed-off-by: Boteng Yao boteng@google.com
v1.35.7
Summary of changes:
- Security fixes:
- CVE-2025-64527: Envoy crashes when JWT authentication is configured with the remote JWKS fetching
- CVE-2025-66220: TLS certificate matcher for
match_typed_subject_alt_namesmay incorrectly treat certificates containing an embedded null byte - CVE-2025-64763: Potential request smuggling from early data after the CONNECT upgrade
Docker images:
https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.35.7
Docs:
https://www.envoyproxy.io/docs/envoy/v1.35.7/
Release notes:
https://www.envoyproxy.io/docs/envoy/v1.35.7/version_history/v1.35/v1.35.7
Full changelog:
v1.35.6...v1.35.7
Signed-off-by: Ryan Northey ryan@synca.io
Signed-off-by: Boteng Yao boteng@google.com
v1.34.11
Summary of changes:
- Security fixes:
- CVE-2025-64527: Envoy crashes when JWT authentication is configured with the remote JWKS fetching
- CVE-2025-66220: TLS certificate matcher for
match_typed_subject_alt_namesmay incorrectly treat certificates containing an embedded null byte - CVE-2025-64763: Potential request smuggling from early data after the CONNECT upgrade
Docker images:
https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.34.11
Docs:
https://www.envoyproxy.io/docs/envoy/v1.34.11/
Release notes:
https://www.envoyproxy.io/docs/envoy/v1.34.11/version_history/v1.34/v1.34.11
Full changelog:
v1.34.10...v1.34.11
Signed-off-by: Ryan Northey ryan@synca.io
Signed-off-by: Boteng Yao boteng@google.com
v1.33.13
Summary of changes:
- Security fixes:
- CVE-2025-64527: Envoy crashes when JWT authentication is configured with the remote JWKS fetching
- CVE-2025-66220: TLS certificate matcher for
match_typed_subject_alt_namesmay incorrectly treat certificates containing an embedded null byte - CVE-2025-64763: Potential request smuggling from early data after the CONNECT upgrade
Docker images:
https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.33.13
Docs:
https://www.envoyproxy.io/docs/envoy/v1.33.13/
Release notes:
https://www.envoyproxy.io/docs/envoy/v1.33.13/version_history/v1.33/v1.33.13
Full changelog:
v1.33.12...v1.33.13
Signed-off-by: Ryan Northey ryan@synca.io
Signed-off-by: Boteng Yao boteng@google.com
v1.36.2
Summary of changes:
-
Security update:
- CVE-2025-62504: A crash that occurs when Lua filters handle a sufficiently large response body
Docker images:
https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.36.2
Docs:
https://www.envoyproxy.io/docs/envoy/v1.36.2/
Release notes:
https://www.envoyproxy.io/docs/envoy/v1.36.2/version_history/v1.36/v1.36.2
Full changelog:
v1.36.1...v1.36.2
Signed-off-by: Ryan Northey ryan@synca.io
Signed-off-by: Boteng Yao boteng@google.com