CVE-2025-55162: 
Envoy vulnerability analysis and mitigation

CVE-2025-55162 is a vulnerability discovered in Envoy, an open source L7 proxy and communication bus designed for large modern service oriented architectures. The vulnerability was disclosed on September 3, 2025, affecting versions below 1.32.10 and versions 1.33.0 through 1.33.6, 1.34.0 through 1.34.4, and 1.35.0. The issue stems from insufficient session expiration in the Envoy OAuth2 filter (NVD, GitHub Advisory).

The vulnerability occurs when the OAuth2 filter is configured with Secure- or Host- prefixed cookie names. The filter fails to append the required Secure attribute to the Set-Cookie header during deletion. The current implementation iterates through the configured cookie names to generate deletion headers but does not check for these prefixes, resulting in browsers ignoring the invalid deletion request. The vulnerability has received a CVSS v3.1 base score of 6.3 (Medium) from GitHub and 8.8 (High) from NVD, with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N (GitHub Advisory, NVD).

The vulnerability allows session cookies to persist after logout attempts, creating a session hijacking risk particularly on shared computers. When a user attempts to log out, the session remains active due to the failed cookie deletion, potentially allowing subsequent users of the same browser to gain unauthorized access to the original user's account and data (Security Online, GitHub Advisory).

The vulnerability has been fixed in versions 1.32.10, 1.33.7, 1.34.5, and 1.35.1. As a temporary workaround, users can avoid using Secure- or Host- prefixes in cookie name configurations for the OAuth2 filter (GitHub Advisory, NVD).