CVE-2025-54588: 
Envoy vulnerability analysis and mitigation

CVE-2025-54588 is a use-after-free (UAF) vulnerability discovered in Envoy, an open source L7 proxy and communication bus designed for large modern service oriented architectures. The vulnerability affects versions 1.34.0 through 1.34.4 and 1.35.0, and was disclosed on September 2, 2025. The flaw resides in Envoy's DNS cache implementation, specifically within the Dynamic Forward Proxy component (NVD, GitHub Advisory).

The vulnerability occurs when a completion callback for a DNS resolution triggers new DNS resolutions or removes existing pending resolutions. This can lead to memory reallocation during pending DNS resolution processing, causing list iterators to reference freed memory. The issue manifests under specific conditions: when the Dynamic Forwarding Filter is enabled, the envoy.reloadable_features.dfp_cluster_resolves_hosts runtime flag is enabled, and the Host header is modified between the Dynamic Forwarding Filter and Router filters. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (Security Online, GitHub Advisory).

The primary impact of this vulnerability is denial of service through abnormal process termination. When exploited, the vulnerability causes Envoy to crash, which can be identified by the presence of Envoy::Event::DispatcherImpl::runPostCallbacks() frame in the call stack (GitHub Advisory).

The vulnerability has been patched in versions 1.34.5 and 1.35.1. Users are advised to upgrade to these versions. As a temporary workaround, users can set the envoy.reloadablefeatures.dfpclusterresolveshosts runtime flag to false if immediate updating is not possible (NVD, GitHub Advisory).