Security

TL;DR; This is a novel technique that leverages the well-known Device Code phishing approach. It dynamically initiates the flow as soon as the victim opens the phishing link and instantly redirects them to the authentication page. A headless browser automates this by directly entering the generated Device Code into the webpage behind the scenes. This defeats the 10-minute token validity limitation and eliminates the need for the victim to manually perform these steps, elevating the efficiency of the attack to a new level....

Summary I discovered a vulnerability in Envoy Gateway, which allowed attackers to manipulate access logs via malicious User-Agent string. By injecting payloads into the User-Agent Header, attackers could overwrite log fields (e.g., spoof IP addresses) or crash observability tools by corrupting log formats. After discovering this CVE-2025-25294, I responsibly disclosed it to the maintainers and also fixed the code via that Commit. Impact In all Envoy Gateway versions prior to 1....