CRE-2025-0109
Ambient HTTP status codes by ZtunnelMedium
CRE-2025-0109View on GitHub
Description
When Ambient mode is enabled, Ztunnel tunnels HTTP over HBONE\n(HTTP CONNECT) and although it's a TCP proxy, it still tags its\n\"connection complete\" log lines with the HTTP status code from\nthe upstream response (e.g. 503, 401). This CRE verifies that\nnon-2xx responses are correctly surfaced.\n
Mitigation
IMMEDIATE:\n- Inspect your HTTP service logs to confirm the 4xx/5xx.\n- Run `kubectl -n istio-system logs <ztunnel-pod> -c istio-proxy`\n and grep for `status=<code>`.\nRECOVERY:\n- Ensure your `meshConfig.defaultConfig.proxyStatsMatcher.inclusionRegexps`\n includes `status` so status codes get logged.\n