ISTIO-SECURITY-2025-001

{{< security_bulletin >}}

CVE

Envoy CVEs

• CVE-2025-55162: (CVSS score 6.3, Moderate): OAuth2 Filter Signout route will not clear cookies because of missing "secure;" flag
• CVE-2025-54588: (CVSS score 7.5, High): Use after free in DNS cache

Am I Impacted?

You are impacted if you are using Istio 1.27.0, 1.26.0 to 1.26.3, or 1.25.0 to 1.25.4, and you use cookies named with prefix __Secure- or __Host-, or you are using EnvoyFilter with dynamic_forward_proxy.