AIKIDO-2026-10525
github.com/heptio/contour is vulnerable to Remote Code Execution (RCE)
81
High Risk
This Affects:
github.com/heptio/contourTL;DR
Improper neutralization of user-controlled input in Contour Cookie Rewriting functionality allowed Lua code injection via HTTPProxy resource fields used for cookie path rewriting. An attacker with RBAC permissions to create or modify HTTPProxy objects could inject arbitrary Lua code executed by the shared Envoy Proxy instance when traffic reached the attacker-controlled route. Successful exploitation could enable arbitrary code execution within Envoy, disclosure of xDS credentials and other tenants’ TLS certificates or private keys, and denial of service affecting co-hosted tenants.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
github.com/heptio/contour is vulnerable to Remote Code Execution (RCE) in versions 1.33.0 - 1.33.3, 1.32.0 - 1.32.4 and 0.0.1 - 1.31.5.
How to fix this
Upgrade the github.com/heptio/contour library to the patch version.
Links
GitHub Releases
github.com/projectcontour/contour/releases/tag/v1.32.5github.com/projectcontour/contour/releases/tag/v1.31.6github.com/projectcontour/contour/releases/tag/v1.33.4
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant