Envoy
v1.37.2Networking & MessagingEnvoy v1.37.2 is a patch release fixing three runtime bugs: a crash on listener removal, incomplete body forwarding in dynamic module filters, and a request hang on buffer overflow during internal redirects.
breakingUpgrade immediately if using process-level access log rate limiting
If your Envoy config uses a process-level access log rate limiter and you perform any listener hot-reload or removal, you are hitting a crash path. This is not a low-probability edge case — listener removal happens during routine config updates via xDS. Upgrade to v1.37.2 before your next config push.
breakingCheck dynamic module filter pipelines for body truncation
If you run dynamic module filters alongside other filters that buffer request or response bodies (e.g., ext_proc, gRPC transcoding, JWT body inspection), you may have been forwarding truncated payloads upstream or to clients without any error. Audit logs for unexpected body size mismatches and validate behavior in staging after upgrading.
breakingInternal redirect with large request bodies could hang — patch this now
Any route config using internal redirects combined with upstream services that can trigger redirects on large POST/PUT bodies is a hang risk. The request stalls rather than returning an error, which means your upstream timeout is the only safety net. This is a silent reliability failure. Upgrade and consider temporarily tightening request buffer limits on affected routes as a short-term guard.
Key changes (5)
- Crash fix: listener removal with a process-level access log rate limiter no longer causes a process crash
- Dynamic module filters now correctly forward complete request/response bodies when adjacent filters perform buffering
- Internal redirect buffer overflow no longer hangs the request indefinitely
- Docker release images updated and corrected
- Stats subsystem updates included