Announcing Istio 1.25.1
Istio 1.25.1 patch release.
This release contains bug fixes to improve robustness. This release note describes what’s different between Istio 1.25.0 and Istio 1.25.1.
BEFORE YOU UPGRADE
Things to know and prepare before upgrading.
DOWNLOAD
Download and install this release.
DOCS
Visit the documentation for this release.
SOURCE CHANGES
Inspect the full set of source code changes.
Security Update
- CVE-2025-30157 (CVSS Score 6.5, Medium): Envoy crashes when HTTP
ext_procprocesses local replies.
For the purposes of Istio, this CVE is only exploitable in circumstances where ext_proc is configured via EnvoyFilter.
Changes
Added status information to
HTTPRouteresources to indicate the status ofparentRefsfor service and service entry resources, as well as a new condition to indicate the status of waypoint configuration when in ambient mode.Fixed validation webhook rejecting an otherwise valid
connectionPool.tcp.IdleTimeout=0sconfiguration. (Issue #55409)Fixed an issue where validation webhook incorrectly reported a warning when a
ServiceEntryconfiguredworkloadSelectorwith DNS resolution. (Issue #50164)Fixed an issue where
HTTPRoutestatus was not reporting aparentRefassociated with a single result due to complex logic for collapsingparentRefsof the same reference, but differentsectionNames.Fixed
IstioCertificateServiceto ensureIstioCertificateResponse.CertChaincontained only a single certificate per element in the array. (Issue #1061)Fixed an issue causing waypoints to downgrade HTTP2 traffic to HTTP/1.1 if the port was not explicitly declared as
http2.