CVE-2020-25017

Envoy through 1.15.0 only considers the first value when multiple header values are present for some HTTP headers. Envoy’s setCopy() header map API does not replace all existing occurences of a non-inline header.

Date published : 2020-10-01

https://github.com/envoyproxy/envoy/security/advisories/GHSA-2v25-cjjq-5f4w

https://groups.google.com/forum/#%21forum/envoy-security-announce