CVE-2025-54588
BaseFortify
Publication date: 2025-09-03
Last updated on: 2025-09-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| envoyproxy | envoy | From 1.34.0 (inc) to 1.34.5 (exc) |
| envoyproxy | envoy | 1.35.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-54588 is a use-after-free (UAF) vulnerability in Envoy's DNS cache within the Dynamic Forward Proxy implementation. It occurs when a DNS resolution completion callback triggers new DNS resolutions or removes existing pending resolutions, causing Envoy to access memory that has already been freed. This leads to abnormal process termination (crashes). The vulnerability manifests when the Dynamic Forwarding Filter is enabled, the runtime flag 'envoy.reloadable_features.dfp_cluster_resolves_hosts' is true, and the Host header is modified between the Dynamic Forwarding Filter and Router filters. [1]
How can this vulnerability impact me? :
This vulnerability can cause Envoy to crash unexpectedly, resulting in denial of service (DoS). It affects the availability of the service by causing abnormal process termination but does not impact confidentiality or integrity. The attack can be performed remotely over the network without any privileges or user interaction, and it has low attack complexity. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for abnormal Envoy process terminations. Specifically, look for crashes where the call stack includes Envoy::Event::DispatcherImpl::runPostCallbacks(). You can check Envoy logs for such crash reports or core dumps. Additionally, monitoring for unexpected Envoy process restarts or denial of service symptoms may indicate exploitation attempts. There are no specific commands provided, but inspecting logs and process crash reports is recommended. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Envoy to versions 1.34.5 or 1.35.1, which contain fixes for this vulnerability. If upgrading is not immediately possible, as a workaround, disable the runtime flag 'envoy.reloadable_features.dfp_cluster_resolves_hosts' by setting it to false to prevent the vulnerability from being triggered. [1]