security: Upgrade Envoy Gateway from v1.2.8 to v1.6.3 (CVE-2026-22771)#1985
security: Upgrade Envoy Gateway from v1.2.8 to v1.6.3 (CVE-2026-22771)#1985NJX-njx wants to merge 3 commits intovllm-project:mainfrom
Conversation
) Upgrade Envoy Gateway from v1.2.8 to v1.6.3 to fix CVE-2026-22771 (GHSA-xrwg-mqj6-6m22) - a high-severity Lua arbitrary code execution vulnerability (CVSS: 8.8/10). The patched version includes: - Strict Lua validation enabled by default - Security hardening for Lua scripts - Optional disableLua setting in EnvoyProxy Files updated: - config/dependency/envoy-gateway/kustomization.yaml - config/gateway/gateway.yaml (shutdown-manager image) - config/overlays/release/envoy_proxy_patch.yaml - config/overlays/vke/default/envoy_proxy_patch.yaml - config/overlays/vke/dependency/envoy_gateway_patch.yaml - config/overlays/vke/dependency/kustomization.yaml - docs/source/getting_started/installation/installation.rst - hack/release/sync-dependency-images.sh
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request significantly enhances the security posture by upgrading the Envoy Gateway to a patched version. The primary motivation is to mitigate a critical vulnerability related to Lua script execution, ensuring that the system is protected against potential exploits. This update also brings improved security features and validation for Lua, contributing to a more robust and secure gateway environment. Highlights
🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Changelog
Activity
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request correctly upgrades Envoy Gateway to v1.6.3, addressing the high-severity vulnerability GHSA-xrwg-mqj6-6m22. The changes are consistent across all files.
For enhanced security, I recommend explicitly disabling Lua since it doesn't seem to be used in this project. This can be done by adding the following to your EnvoyProxy configurations:
spec:
extension:
lua:
disable: trueAlso, a minor note: the CVE identifier in the PR title and description appears to have a typo. The correct ID for this vulnerability is CVE-2024-36059.
| "redis:7.4 ${TARGET_REGISTRY}/aibrix/redis:7.4" | ||
| "envoyproxy/envoy:v1.33.2 ${TARGET_REGISTRY}/aibrix/envoy:v1.33.2" | ||
| "envoyproxy/gateway:v1.2.8 ${TARGET_REGISTRY}/aibrix/gateway:v1.2.8" | ||
| "envoyproxy/gateway:v1.6.3 ${TARGET_REGISTRY}/aibrix/gateway:v1.6.3" |
There was a problem hiding this comment.
To improve maintainability and reduce the chance of errors in future updates, consider defining the version as a variable and reusing it. This avoids hardcoding the version string in multiple places on the same line.
For example:
ENVOY_GATEWAY_VERSION="v1.6.3"
# ... in IMAGES array
"envoyproxy/gateway:${ENVOY_GATEWAY_VERSION} ${TARGET_REGISTRY}/aibrix/gateway:${ENVOY_GATEWAY_VERSION}"Applying this pattern to all images in the IMAGES array would further improve the script's maintainability.
There was a problem hiding this comment.
Pull request overview
Upgrades the pinned Envoy Gateway dependency from v1.2.8 to v1.6.3 across kustomize-based install paths to address CVE-2026-22771 (Lua arbitrary code execution in Envoy Gateway).
Changes:
- Bump Envoy Gateway install manifest URL and image tag to
v1.6.3in the dependency kustomization. - Update
shutdown-managerimage references toenvoyproxy/gateway:v1.6.3(and VKE registry equivalents) in gateway/overlay patches. - Update documentation and release image-sync script to use
v1.6.3.
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
config/dependency/envoy-gateway/kustomization.yaml |
Updates remote install.yaml reference and envoyproxy/gateway image tag to v1.6.3. |
config/gateway/gateway.yaml |
Updates shutdown-manager image to envoyproxy/gateway:v1.6.3. |
config/overlays/release/envoy_proxy_patch.yaml |
Updates shutdown-manager image to envoyproxy/gateway:v1.6.3. |
config/overlays/vke/default/envoy_proxy_patch.yaml |
Updates shutdown-manager image to VKE registry .../gateway:v1.6.3. |
config/overlays/vke/dependency/envoy_gateway_patch.yaml |
Updates Envoy Gateway ConfigMap shutdownManager.image to VKE registry .../gateway:v1.6.3. |
config/overlays/vke/dependency/kustomization.yaml |
Updates VKE kustomize image tag to v1.6.3. |
docs/source/getting_started/installation/installation.rst |
Updates Envoy Gateway Helm install command to --version v1.6.3. |
hack/release/sync-dependency-images.sh |
Updates the synced Envoy Gateway image to envoyproxy/gateway:v1.6.3. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| resources: | ||
| - https://github.com/envoyproxy/gateway/releases/download/v1.2.8/install.yaml | ||
| - https://github.com/envoyproxy/gateway/releases/download/v1.6.3/install.yaml | ||
|
|
There was a problem hiding this comment.
This upgrade appears incomplete: there are still references to the vulnerable Envoy Gateway version v1.2.8 in Helm chart values (e.g., dist/chart/stable.yaml, dist/chart/values.yaml, dist/chart/vke.yaml). As a result, Helm-based installs can still deploy the old envoyproxy/gateway:v1.2.8 shutdown-manager image despite updating the kustomize dependency here. Please update those chart files (or narrow the PR description/scope) so all install paths are consistently on v1.6.3.
There was a problem hiding this comment.
Yes, update the dist/ files as well
There was a problem hiding this comment.
FYI uploaded these two images
aibrix-public-release-cn-beijing.cr.volces.com/aibrix/envoy:v1.36.4
aibrix-public-release-cn-beijing.cr.volces.com/aibrix/gateway:v1.6.3
|
can you also bump up the version for envoy:1.33.2 -> envoy:v1.36.4. Else looks good. |
Summary
Closes #1888
Upgrades Envoy Gateway from v1.2.8 to v1.6.3 to fix CVE-2026-22771 (CVSS: 8.8/10) — a high-severity Lua arbitrary code execution vulnerability.
Vulnerability Details
What's Patched (v1.6.3)
disableLuasetting in EnvoyProxy to entirely block Lua extension policiesCompatibility
Per @varungup90's comment: v1.6.3 has been privately tested with no code compatibility issues.
Files Changed
config/dependency/envoy-gateway/kustomization.yamlconfig/gateway/gateway.yamlconfig/overlays/release/envoy_proxy_patch.yamlconfig/overlays/vke/default/envoy_proxy_patch.yamlconfig/overlays/vke/dependency/envoy_gateway_patch.yamlconfig/overlays/vke/dependency/kustomization.yamldocs/source/getting_started/installation/installation.rsthack/release/sync-dependency-images.shAll references to
v1.2.8have been replaced withv1.6.3.