SB2025090352 - ISTIO update for Envoy

Security Bulletin ID SB2025090352

Severity

Medium

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Insufficient session expiration (CVE-ID: CVE-2025-55162)

The vulnerability allows a attacker to compromise victim's session.

The vulnerability exists due to insufficient session expiration issue in the Envoy OAuth2 filter. When configured with __Secure- or __Host- prefixed cookie names, the filter fails to append the required Secure attribute to the Set-Cookie header during deletion. As a result the cookie is never deleted when the user clicks on the logout button. An attacker with physical access to the victim's browser can gain unauthorized access to the original user's account and data.

2) Use-after-free (CVE-ID: CVE-2025-54588)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a use-after-free error within the Dynamic Forward Proxy implementation when a completion callback for a DNS resolution triggers new DNS resolutions or removes existing pending resolutions. A remote attacker can perform a denial of service attack.

Remediation

Install update from vendor's website.

References

https://istio.io/latest/news/security/istio-security-2025-001