Session Expiration Flaw in Envoy Proxy by Envoy
CVE-2025-55162

6.3MEDIUM

Key Information:

Vendor: Envoyproxy
Status: Envoy
Vendor: CVE Published:; 3 September 2025

What is CVE-2025-55162?

Envoy Proxy has a vulnerability in its OAuth2 filter that fails to adequately handle session expiration, particularly during logout procedures. When certain cookie names are employed, the necessary Secure attribute is absent in the deletion headers sent by the filter. As a result, modern browsers disregard these invalid requests, leading to persistent session cookies even after a logout has been attempted. This flaw increases the risk of session hijacking, especially for users accessing shared computers, as subsequent users can inadvertently gain access to previous users' accounts and data. The issue has been rectified in specific new versions of Envoy Proxy.

Affected Version(s)

envoy >= 1.35.0, < 1.35.1 < 1.35.0, 1.35.1

envoy >= 1.34.0, < 1.34.5 < 1.34.0, 1.34.5

envoy >= 1.33.0, < 1.33.7 < 1.33.0, 1.33.7

References

https://github.com/envoyproxy/envoy/security/advisories/G...

x_refsource_CONFIRM

https://github.com/envoyproxy/envoy/releases/tag/v1.35.1

x_refsource_MISC

CVSS V3.1

Score:

6.3

Severity:

MEDIUM

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 3, 2025
Vulnerability Reserved
Aug 7, 2025

Envoyproxy

What is CVE-2025-55162?

Affected Version(s)

References

CVSS V3.1

Timeline