x/vulndb: potential Go vuln in github.com/dadrus/heimdall: GHSA-r8x2-fhmf-6mxp

Advisory [GHSA-r8x2-fhmf-6mxp](https://github.com/advisories/GHSA-r8x2-fhmf-6mxp) references a vulnerability in the following Go modules:

| Module |
| - |
| [github.com/dadrus/heimdall](https://pkg.go.dev/github.com/dadrus/heimdall) |

Description:
### Summary
When using heimdall in envoy gRPC decision API mode, wrong encoding of the query URL string allows rules with non-wildcard path expressions to be bypassed.

The HTTP based decision API is NOT affected, and proxy mode is NOT affected either.

**Note:** The issue can only lead to unintended access if heimdall is configured with an "allow all" default rule. Since v0.16.0, heimdall enforces secure defaults and refuses to start with such a configuration unless this enforcement is explicitly disabled, e.g. via `--insecure-skip-secure-default-rule-enforcement` or the broader `--insecure` ...

References:
- ADVISORY: https://github.com/advisories/GHSA-r8x2-fhmf-6mxp
- ADVISORY: https://github.com/dadrus/heimdall/security/advisories/GHSA-r8x2-fhmf-6mxp
- FIX: https://github.com/dadrus/heimdall/commit/50321b3007db1ccafdc6b1cfd6bdc3689c19a502
- FIX: https://github.com/dadrus/heimdall/pull/3106
- WEB: https://github.com/envoyproxy/envoy/blob/105b4acd422d67fcff908ec38d91c7676d079939/api/envoy/service/auth/v3/attribute_context.proto#L146-L147

No existing reports found with this module or alias.
See [doc/quickstart.md](https://github.com/golang/vulndb/blob/master/doc/quickstart.md) for instructions on how to triage this report.

```
id: GO-ID-PENDING
modules:
    - module: github.com/dadrus/heimdall
      non_go_versions:
        - introduced: TODO (earliest fixed "0.17.11", vuln range ">= 0.7.0-alpha, <= 0.17.10")
      vulnerable_at: 0.17.11
summary: 'Heimdall: Path received via Envoy gRPC corrupted when containing query string in github.com/dadrus/heimdall'
cves:
    - CVE-2026-32811
ghsas:
    - GHSA-r8x2-fhmf-6mxp
references:
    - advisory: https://github.com/advisories/GHSA-r8x2-fhmf-6mxp
    - advisory: https://github.com/dadrus/heimdall/security/advisories/GHSA-r8x2-fhmf-6mxp
    - fix: https://github.com/dadrus/heimdall/commit/50321b3007db1ccafdc6b1cfd6bdc3689c19a502
    - fix: https://github.com/dadrus/heimdall/pull/3106
    - web: https://github.com/envoyproxy/envoy/blob/105b4acd422d67fcff908ec38d91c7676d079939/api/envoy/service/auth/v3/attribute_context.proto#L146-L147
source:
    id: GHSA-r8x2-fhmf-6mxp
    created: 2026-03-18T13:02:00.529782266Z
review_status: UNREVIEWED

```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in github.com/dadrus/heimdall: GHSA-r8x2-fhmf-6mxp #4742

Summary

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

x/vulndb: potential Go vuln in github.com/dadrus/heimdall: GHSA-r8x2-fhmf-6mxp #4742

Description

Summary

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions