CVE-2025-55162Insufficient Session Expiration in Envoy

CWE-613Insufficient Session ExpirationCWE-565Reliance on Cookies without Validation and Integrity Checking3 documents3 sources
Severity
8.8HIGHNVD
CNA6.3
EPSS
0.0%
top 99.40%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Envoyproxy Envoy
Timeline
PublishedSep 3

Description

Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In versions below 1.32.10 and 1.33.0 through 1.33.6, 1.34.0 through 1.34.4 and 1.35.0, insufficient Session Expiration in the Envoy OAuth2 filter leads to failed logout operations. When configured with __Secure- or __Host- prefixed cookie names, the filter fails to append the required Secure attribute to the Set-Cookie header during deletion. Modern browsers ignore this invalid reques

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

NVDenvoyproxy/envoy1.34.01.34.5+3
CVEListV5envoyproxy/envoy1.32.0, < 1.32.10+3

🔴Vulnerability Details

1
CVEList
Envoy: oAuth2 Filter Signout route will not clear cookies because of missing "secure;" flag2025-09-03

📋Vendor Advisories

1
Red Hat
envoyproxy/envoy: oAuth2 Filter Signout route will not clear cookies because of missing "secure;" flag2025-09-03