Envoy Project Patches Two Flaws: DoS (CVE-2025-54588) and Session Hijacking (CVE-2025-55162) Risks

The Envoy Project has issued a new security advisory addressing two significant vulnerabilities impacting its popular L7 proxy and communication bus. These flaws—one in the DNS cache and another in the OAuth2 filter—pose risks of denial-of-service and potential session hijacking if left unpatched.

The first issue, tracked as CVE-2025-54588 (CVSS 7.5), is a use-after-free (UAF) vulnerability in Envoy’s DNS cache. According to the advisory, “a use-after-free (UAF) vulnerability in Envoy’s DNS cache causes abnormal process termination. Envoy may reallocate memory when processing a pending DNS resolution, causing list iterator to reference freed memory.”

This vulnerability affects Envoy’s Dynamic Forward Proxy implementation starting from version v1.34.0, particularly when:

1. The Dynamic Forwarding Filter is enabled.
2. The envoy.reloadable_features.dfp_cluster_resolves_hosts runtime flag is enabled.
3. The Host header is modified between the Dynamic Forwarding and Router filters.

The impact is a denial of service due to abnormal process termination. Users may notice this with the Envoy::Event::DispatcherImpl::runPostCallbacks() frame in the call stack.

User should upgrade to v1.35.1 or v1.34.5, or disable the runtime flag as a temporary workaround.

The second vulnerability, CVE-2025-55162 (CVSS 6.3), arises from insufficient session expiration in the Envoy OAuth2 filter. The advisory explains: “When configured with __Secure- or __Host- prefixed cookie names, the filter fails to append the required Secure attribute to the Set-Cookie header during deletion. Modern browsers ignore this invalid request, causing the session cookie to persist.”

This flaw means a user may think they’ve logged out, but the session remains active, creating a session hijacking risk on shared or public computers.

The vulnerability impacts all versions ≤1.35. User should apply the patched versions (1.35.1, 1.34.5, 1.33.7, 1.32.10) or avoid using __Secure- or __Host- cookie name prefixes in the OAuth2 filter.

Related Posts:

• Amazon Redshift Alert: OAuth2 Vulnerability Exposes Data
• CVE-2025-43856: OAuth2 Account Hijacking Flaw Found in Immich, a Popular Self-Hosted Photo Platform
• CVE-2024-9014 (CVSS 9.9): pgAdmin’s Critical Vulnerability Puts User Data at Risk
• EU wants to filter all code uploaded to the Internet

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy