OverviewWhy AttestdQuickstartResponse FieldsAPI ReferenceSDK Reference↳ Python↳ JavaScriptAccount & PortalAI Agent IntegrationCI/CD IntegrationIntegrations↳ MCP Server↳ LangChain↳ LangChain (JS)↳ AutoGenProductsSupply chainFAQ
products / istio

Istio

Istio is a platform-independent service mesh that provides traffic management, mTLS, and telemetry for Kubernetes workloads. It is widely deployed as the networking layer beneath AI inference platforms and multi-tenant cluster services. NVD tracks the control plane as istio:istio. The data plane runs Envoy Proxy; some advisories mention Envoy in text but Istio CPE rows scope control-plane CVEs.

api usage

Querying Istio

product slugistio
version format1.24.0, 1.15.0, 1.14.0
bash
curl "https://api.attestd.io/v1/check?product=istio&version=1.15.0" \
  -H "Authorization: Bearer $ATTESTD_KEY"

Istio 1.15.0 is affected by CVE-2022-39278 (istiod crash via oversized webhook message when port 15017 is exposed). The aggregated response expects risk_state: "high".

json
{
  "product": "istio",
  "version": "1.15.0",
  "supported": true,
  "risk_state": "high",
  "risk_factors": [
    "denial_of_service",
    "internet_exposed_service",
    "no_authentication_required",
    "patch_available"
  ],
  "actively_exploited": false,
  "remote_exploitable": true,
  "authentication_required": false,
  "patch_available": true,
  "fixed_version": "1.15.2",
  "confidence": 0.86,
  "cve_ids": ["CVE-2022-39278"],
  "last_updated": "2026-05-22T00:00:00Z"
}
safe version

Istio 1.24.0 is used as a patched-line example; confirm with live /v1/check after ingestion.

bash
curl "https://api.attestd.io/v1/check?product=istio&version=1.24.0" \
  -H "Authorization: Bearer $ATTESTD_KEY"
notable cves

CVE history

Istio CVEs concentrate on the control plane (istiod), validating/mutating webhooks, and header parsing paths that reach Envoy. External-istiod topologies that expose webhook ports publicly carry higher blast radius for unauthenticated control-plane bugs.

CVEDescriptionAffectsCVSS
CVE-2022-39278istiod crash via crafted or oversized message to validating/mutating webhook on port 15017.< 1.15.27.5
CVE-2022-31045Ill-formed headers to Envoy in certain configurations cause unexpected memory access, undefined behavior, or crashing.< 1.14.19.8
CVE-2022-24726istiod control plane crash via specially crafted request to the validating webhook on port 15017; no authentication required from the attacker.< 1.13.27.5
CVE-2021-39156URI path authorization policy bypass: HTTP requests with a #fragment in the path evade path-based authorization rules.< 1.11.18.1
CVE-2020-8595Authentication bypass: JWT exact-path matching can be defeated by appending ? or # to a URI, allowing access to protected paths without a valid token.1.3.0 to 1.4.37.3
CVE-2019-18817Denial of service when continue_on_listener_filters_timeout is set to true, causing an infinite loop on certain connections.1.3.x < 1.3.57.5
related
All productsEnvoy ProxyCiliumResponse Field Reference