1.37.1 (March 11, 2026)

Bug fixes

Changes expected to improve the state of the world and are unlikely to have negative effects

  • access_log: Fixed a crash on listener removal with a process-level access log rate limiter ProcessRateLimitFilter.

  • ext_authz: Fixed a bug where headers from a denied authorization response (non-200) were not properly propagated to the client.

  • ext_authz: Fixed the HTTP ext_authz client to respect status_on_error configuration when the authorization server returns a 5xx error or when HTTP call failures occur. Previously, these error scenarios always returned 403 Forbidden regardless of the configured error status.

  • ext_proc: Fixed a bug to support two ext_proc filters configured in the chain. This change can be reverted by setting the runtime guard envoy.reloadable_features.ext_proc_inject_data_with_state_update to false.

  • ext_proc: Fixed message-valued CEL attribute serialization (for example xds.virtual_host_metadata) to use protobuf text format instead of debug string output. This restores ext_proc compatibility with protobuf 30+ where debug-string output is intentionally not parseable (for example goo.gle/debugonly prefixes). This change can be reverted by setting runtime guard envoy.reloadable_features.cel_message_serialize_text_format to false.

  • http: Fixed an issue where filter chain execution could continue on HTTP streams that had been reset but not yet destroyed. This could cause use-after-free conditions when filter callbacks were invoked on filters that had already received onDestroy(). The fix ensures that decodeHeaders(), decodeData(), decodeTrailers(), and decodeMetadata() are blocked after a downstream reset.

  • json: Fixed an off-by-one write in JsonEscaper::escapeString() that could corrupt the string null terminator when the input string ends with a control character.

  • network: Fixed a crash in Utility::getAddressWithPort when called with a scoped IPv6 address (e.g., fe80::1%eth0).

  • oauth2: Fixed OAuth2 refresh requests so host rewriting no longer overrides the original Host header value.

  • ratelimit: Fixed a bug in the gRPC rate limit client where the client could get into a bad state if the callbacks were not properly released after a request completion, leading to potential use-after-free issues. The fix ensures that callbacks and request references are cleared after completion, and adds assertions to enforce correct usage patterns.

  • rbac: Fixed RBAC header matcher to validate each header value individually instead of concatenating multiple header values into a single string. This prevents potential bypasses when requests contain multiple values for the same header. The new behavior is enabled by the runtime guard envoy.reloadable_features.rbac_match_headers_individually.

  • release: Published contrib binaries now include the -contrib suffix in their version string.

New features

  • dynamic modules: Introduced the extended ABI forward compatibility mechanism for dynamic modules where modules built with a SDK version can be loaded by Envoy binaries of the next Envoy version. For example, A module built with the v1.38 SDK can now be loaded by an Envoy binary of v1.39.