Main Vulnerability Database Vulnerabilities #VU114763

Insufficient session expiration in envoy - CVE-2025-55162

Published: September 3, 2025

Vulnerability identifier: #VU114763

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-55162

CWE-ID: CWE-613

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Cloud Native Computing Foundation

Affected software:
envoy

Detailed vulnerability description

The vulnerability allows a attacker to compromise victim's session.

The vulnerability exists due to insufficient session expiration issue in the Envoy OAuth2 filter. When configured with __Secure- or __Host- prefixed cookie names, the filter fails to append the required Secure attribute to the Set-Cookie header during deletion. As a result the cookie is never deleted when the user clicks on the logout button. An attacker with physical access to the victim's browser can gain unauthorized access to the original user's account and data.

How to mitigate CVE-2025-55162

Install updates from vendor's website.

Sources

https://github.com/envoyproxy/envoy/security/advisories/GHSA-95j4-hw7f-v2rh

Insufficient session expiration in envoy - CVE-2025-55162

Detailed vulnerability description

How to mitigate CVE-2025-55162

Sources

Please verify you're human