CVE-2025-55162
BaseFortify
Publication date: 2025-09-03
Last updated on: 2025-09-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| envoyproxy | envoy | to 1.32.10 (exc) |
| envoyproxy | envoy | From 1.33.0 (inc) to 1.33.7 (inc) |
| envoyproxy | envoy | From 1.34.0 (inc) to 1.34.5 (exc) |
| envoyproxy | envoy | 1.35.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-613 | According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization." |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Envoy's OAuth2 filter occurs because the filter fails to properly delete session cookies that have __Secure- or __Host- prefixes. These prefixes require the Secure attribute to be set in the Set-Cookie header when deleting cookies. However, the filter omits the Secure attribute during cookie deletion, causing modern browsers to ignore the deletion request. As a result, session cookies persist even after logout, allowing users to remain logged in unintentionally. This creates a risk of session hijacking, especially on shared or public computers, where another user could gain unauthorized access to the original user's session. [1]
How can this vulnerability impact me? :
The vulnerability can lead to session hijacking risks because session cookies are not properly deleted upon logout. This means that on shared or public computers, a subsequent user could access the previous user's active session and gain unauthorized access to their account and data. It undermines the security of user sessions by allowing them to persist beyond the intended logout, potentially exposing sensitive information. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking if your Envoy OAuth2 filter is configured with cookies named with the __Secure- or __Host- prefixes and if the Set-Cookie headers during logout lack the Secure attribute. For example, inspect HTTP response headers for logout requests to see if deletion headers look like: 'Set-Cookie: __Secure-id-token=deleted; Expires=Thu, 01 Jan 1970 00:00:00 GMT' without the 'Secure' flag. Commands to check this could include using curl or similar tools to capture headers, e.g., 'curl -I https://your-envoy-domain/logout' and inspecting the Set-Cookie headers. Additionally, you can review your Envoy configuration files for cookie names with these prefixes. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation is to upgrade Envoy to a patched version that fixes this issue, specifically versions 1.32.10, 1.33.7, 1.34.5, or 1.35.1 or later. Until then, avoid using __Secure- or __Host- prefixed cookie names in the OAuth2 filter configuration or ensure that the Set-Cookie headers during logout include the Secure attribute when deleting cookies. Monitoring logout behavior and educating users about the risk on shared computers can also help reduce exposure. [1]