ISTIO-SECURITY-2025-001
CVEs reported by Envoy.
| Disclosure Details | |
|---|---|
| CVE(s) | CVE-2025-55162 CVE-2025-54588 |
| CVSS Impact Score | 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| Affected Releases | 1.27.0 1.26.0 to 1.26.3 1.25.0 to 1.25.4 |
CVE
Envoy CVEs
- CVE-2025-55162: (CVSS score 6.3, Moderate): OAuth2 Filter Signout route will not clear cookies because of missing “secure;” flag
- CVE-2025-54588: (CVSS score 7.5, High): Use after free in DNS cache
Am I Impacted?
You are impacted if you are using Istio 1.27.0, 1.26.0 to 1.26.3, or 1.25.0 to 1.25.4, and you use cookies named with prefix __Secure- or __Host-, or you are using EnvoyFilter with dynamic_forward_proxy.