Summary iPlain-English security verdict for Envoy, generated from its current health score, actively-exploited vulnerabilities, and latest supported version.
Envoy currently scores 100/100 — healthy. 1 actively-exploited vulnerability (CISA KEV) affects older releases (e.g. CVE-2023-44487) — staying on the latest supported version keeps you clear of it. The latest supported release is 1.38.2. It's on the latest patch with no significant known issues — keep it current.
Disclosure trend iNew CVEs published for Envoy each year (NVD). A higher bar means more disclosures that year — more scrutiny, not necessarily less safe.
Patch priority — what to act on iThe issues to fix first — actively exploited (CISA KEV) first, then by exploitation probability (EPSS), then severity. Each row's "→ fixed in" is the earliest version that patches it; "see advisory" means no fixed version is published.
Most urgent first — actively exploited, then likeliest to be exploited.
CVE-2023-44487 HIGH exploited Uncontrolled resource consumption EPSS 100% → see advisory CVE-2024-30255 MEDIUM CWE-390 EPSS 88% → fixed in 1.29.3 CVE-2024-27919 HIGH CWE-390 EPSS 87% → see advisory CVE-2021-29492 HIGH Path traversal EPSS 68% → fixed in 1.18.3 CVE-2019-15226 HIGH Uncontrolled resource consumption EPSS 65% → see advisory CVE-2019-18801 CRITICAL Out-of-bounds write EPSS 3% → see advisory CVE-2019-18802 CRITICAL EPSS 2% → see advisory CVE-2022-29226 CRITICAL Missing authentication EPSS 1% → fixed in 1.22.1Get alerted about Envoy
Be emailed the moment Envoy gets a newly exploited vulnerability (CISA KEV) or a release reaches end of life. Free · double opt-in · unsubscribe anytime.
We email only on real events for Envoy — no marketing, no sharing, and we never know what you run. Track your whole stack →
Versions & lifecycle iWhen each release line stops receiving security patches (end-of-life). After EOL there are no more fixes — plan upgrades before these dates.
How long each Envoy release line is supported — and when it sunsets. Select a line for its full report.
Full Envoy end-of-life dates & support timeline →
1.38 latest 1.38.2 Supported until 2027-04-231.38.2 → 1.37 latest 1.37.4 Supported until 2027-01-131.37.4 → 1.36 latest 1.36.8 Supported until 2026-10-141.36.8 → 1.35 latest 1.35.12 Supported until 2026-07-231.35.12 → 1.34 latest 1.34.14 End of life ended 2026-04-151.34.14 → 1.33 latest 1.33.14 End of life ended 2026-01-141.33.14 → 1.32 latest 1.32.13 End of life ended 2025-10-151.32.13 → 1.31 latest 1.31.10 End of life ended 2025-07-191.31.10 → 1.30 latest 1.30.11 End of life ended 2025-04-161.30.11 → 1.29 latest 1.29.12 End of life ended 2025-01-161.29.12 → See all upcoming end-of-life dates →Frequently asked
Is Envoy safe and patched?
Envoy currently scores 100/100 — healthy. 1 actively-exploited vulnerability (CISA KEV) affects older releases (e.g. CVE-2023-44487) — staying on the latest supported version keeps you clear of it. The latest supported release is 1.38.2. It's on the latest patch with no significant known issues — keep it current.
What should I do about Envoy now?
Upgrade Envoy to the latest supported release (1.38.2) or later, which clears the actively-exploited issues affecting older versions, then confirm against Envoy Proxy's official advisory.
When does Envoy reach end-of-life?
The latest supported Envoy release is 1.38.2. After end-of-life a release no longer receives security patches.
Which versions of Envoy are still receiving security updates?
Supported Envoy release lines (latest 1.38.2): 1.38, 1.37, 1.36, 1.35. End-of-life releases no longer receive security patches.
Informational only, from public data (NVD · CISA KEV · EPSS · endoflife.date), and can lag or miss vendor-specific fixes. Always confirm against Envoy Proxy's official advisory before you patch or upgrade — Envoy official site ↗