How severe is CVE-2025-25294?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 5.3 out of 10.

What type of vulnerability is CVE-2025-25294?

This is classified as CWE-117, which is a common weakness in software security.

CVE-2025-25294

MEDIUM Year: 2025

CVSS v3 Score

5.3

Medium

Weakness Type

CWE-117

View all →

Vulnerability Description

Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. In all Envoy Gateway versions prior to 1.2.7 and 1.3.1 a default Envoy Proxy access log configuration is used. This format is vulnerable to log injection attacks. If the attacker uses a specially crafted user-agent which performs json injection, then he could add and overwrite fields to the access log. This vulnerability is fixed in 1.3.1 and 1.2.7. One can overwrite the old text based default format with JSON formatter by modifying the "EnvoyProxy.spec.telemetry.accessLog" setting.

CVE-2019-10213

MEDIUM

CVSS:5.3(Medium)

OpenShift Container Platform, versions 4.1 and 4.2, does not sanitize secret data written to pod logs when the log level in a given operator is set to Debug or higher. A low privileged user could read...

CWE-1172019

CVE-2019-14854

MEDIUM

CVSS:5.3(Medium)

OpenShift Container Platform 4 does not sanitize secret data written to static pod logs when the log level in a given operator is set to Debug or higher. A low privileged user could read pod logs to d...

CWE-1172019

CVE-2020-4072

MEDIUM

CVSS:5.3(Medium)

In generator-jhipster-kotlin version 1.6.0 log entries are created for invalid password reset attempts. As the email is provided by a user and the api is public this can be used by an attacker to forg...

CWE-1172020

CVE-2021-20333

MEDIUM

CVSS:5.3(Medium)

Sending specially crafted commands to a MongoDB Server may result in artificial log entries being generated or for log entries to be split. This issue affects MongoDB Server v3.6 versions prior to 3.6...

CWE-1172021

CVE-2021-43410

MEDIUM

CVSS:5.3(Medium)

Apache Airavata Django Portal allows CRLF log injection because of lack of escaping log statements. In particular, some HTTP request parameters are logged without first being escaped. Versions affecte...

CWE-1172021

CVE-2022-1522

MEDIUM

CVSS:5.3(Medium)

The Cognex 3D-A1000 Dimensioning System in firmware version 1.0.3 (3354) and prior is vulnerable to CWE-117: Improper Output Neutralization for Logs, which allows an attacker to create false logs that...

CWE-1172022

CVE-2025-25294

Vulnerability Description

Related Vulnerabilities

CVE-2019-10213

CVE-2019-14854

CVE-2020-4072

CVE-2021-20333

CVE-2021-43410

CVE-2022-1522