Main Vulnerability Database Vulnerabilities #VU114763

#VU114763 Insufficient session expiration in envoy - CVE-2025-55162

Published: September 3, 2025

Vulnerability identifier: #VU114763

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-55162

CWE-ID: CWE-613

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
envoy

Software vendor:
Cloud Native Computing Foundation

Description

The vulnerability allows a attacker to compromise victim's session.

The vulnerability exists due to insufficient session expiration issue in the Envoy OAuth2 filter. When configured with __Secure- or __Host- prefixed cookie names, the filter fails to append the required Secure attribute to the Set-Cookie header during deletion. As a result the cookie is never deleted when the user clicks on the logout button. An attacker with physical access to the victim's browser can gain unauthorized access to the original user's account and data.

Remediation

Install updates from vendor's website.

External links

https://github.com/envoyproxy/envoy/security/advisories/GHSA-95j4-hw7f-v2rh

#VU114763 Insufficient session expiration in envoy - CVE-2025-55162

Description

Remediation

External links

Please verify you're human