CVE-2025-55162: Envoyproxy Envoy Auth Bypass Vulnerability

CVE-2025-55162 Overview

CVE-2025-55162 is a session expiration vulnerability in the Envoy proxy OAuth2 filter. Envoy is an open-source Layer 7 (L7) proxy and communication bus used in modern service-oriented architectures. The flaw affects versions below 1.32.10, 1.33.0 through 1.33.6, 1.34.0 through 1.34.4, and 1.35.0. When the OAuth2 filter is configured with __Secure- or __Host- prefixed cookie names, the filter fails to append the required Secure attribute to the Set-Cookie header during logout. Modern browsers reject the invalid deletion header, leaving the session cookie active after the user logs out. This creates a session persistence condition that an attacker can abuse on shared systems.

Critical Impact

Logout operations fail to invalidate session cookies, allowing the next browser user to access the previous user's authenticated session and data.

Affected Products

• Envoy versions prior to 1.32.10
• Envoy versions 1.33.0 through 1.33.6 and 1.34.0 through 1.34.4
• Envoy version 1.35.0

Discovery Timeline

• 2025-09-03 - CVE-2025-55162 published to NVD
• 2025-09-08 - Last updated in NVD database

Technical Details for CVE-2025-55162

Vulnerability Analysis

The vulnerability is classified as Insufficient Session Expiration [CWE-613]. The Envoy OAuth2 filter is responsible for managing OAuth2 authentication state through HTTP cookies. During logout, the filter generates Set-Cookie deletion headers for each configured cookie name. The deletion process fails when administrators use cookies prefixed with __Secure- or __Host-, both of which are RFC 6265bis cookie name prefixes that enforce strict browser-side rules.

Browsers require that any Set-Cookie header naming a cookie with these prefixes also include the Secure attribute. When the deletion header omits this attribute, browsers silently discard the instruction. The original session cookie remains stored client-side and continues to be transmitted on subsequent requests, keeping the authenticated session valid.

Root Cause

The defect resides in the OAuth2 filter logout logic, which iterates through configured cookie names to build deletion headers without inspecting cookie name prefixes. Because the code does not branch on __Secure- or __Host- prefixes, the generated Set-Cookie header is malformed by browser standards and is ignored. The session is never invalidated client-side, and Envoy continues to treat the existing token as authoritative.

Attack Vector

An attacker who gains physical or remote access to a browser previously used to log out of an Envoy-fronted application can resume the prior user's session. The attack requires no credentials and no user interaction beyond accessing the browser. This is most relevant in shared workstation environments, kiosks, and managed desktop deployments. Because the session token remains valid server-side, the attacker inherits the original user's authorization context, including any sensitive data or privileged operations the session grants.

No public proof-of-concept exploit and no in-the-wild exploitation has been reported. See the Envoy security advisory GHSA-95j4-hw7f-v2rh for technical details.

Detection Methods for CVE-2025-55162

Indicators of Compromise

• Authenticated requests carrying __Secure- or __Host- prefixed OAuth2 cookies after a /logout endpoint was invoked.
• Set-Cookie response headers from Envoy that delete prefixed cookies without the Secure attribute or with a non-zero Max-Age.
• Session activity timelines showing continued backend access following a documented logout event.

Detection Strategies

• Inspect Envoy access logs for logout requests followed by additional authenticated traffic carrying the same session identifier.
• Compare Set-Cookie headers emitted during logout against RFC 6265bis prefix rules in HTTP tap or mirror captures.
• Correlate identity provider logout events with downstream proxy session termination to detect mismatches.

Monitoring Recommendations

• Enable Envoy access logging with cookie hashing to track session continuity across logout boundaries.
• Forward Envoy and OAuth2 provider logs to a centralized analytics platform to surface session anomalies.
• Alert on reuse of an OAuth2 session identifier from a different user-agent fingerprint or IP within a short interval.

How to Mitigate CVE-2025-55162

Immediate Actions Required

• Upgrade Envoy to 1.32.10, 1.33.7, 1.34.5, or 1.35.1, depending on your release branch.
• Audit all OAuth2 filter configurations for use of __Secure- or __Host- cookie name prefixes.
• Force-terminate active sessions server-side after upgrading to invalidate any cookies that were not properly cleared.

Patch Information

The Envoy maintainers fixed the issue by ensuring the OAuth2 filter appends the Secure attribute when constructing deletion headers for prefixed cookies. Patched releases are available in Envoy v1.35.1 and the corresponding maintenance branches. Review the GitHub Security Advisory GHSA-95j4-hw7f-v2rh for full version guidance.

Workarounds

• Reconfigure the OAuth2 filter to use cookie names without the __Secure- or __Host- prefix until patching is complete.
• Shorten OAuth2 token and session lifetimes to reduce the window of usable stale sessions.
• Enforce server-side session revocation at the identity provider so logout invalidates tokens regardless of client cookie state.

# Configuration example: avoid prefixed cookie names until patched
# In your Envoy OAuth2 filter configuration, set credentials.cookie_names
# to values that do not begin with __Secure- or __Host-
http_filters:
  - name: envoy.filters.http.oauth2
    typed_config:
      "@type": type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2
      config:
        credentials:
          cookie_names:
            bearer_token: BearerToken
            oauth_hmac: OauthHMAC
            oauth_expires: OauthExpires