CVE-2025-54588 – This CVE describes a use-after-free vulnerabili... (How to Fix)

Q: What is the severity of CVE-2025-54588?

CVE-2025-54588 has a CVSS score of 7.5 (HIGH). This CVE describes a use-after-free vulnerability in Envoy's DNS cache within the Dynamic Forward Proxy implementation. It can cause abnormal process termination (crash) when specific callback conditions trigger new DNS resolutions while removing pending ones. Affected systems are Envoy deployments with dynamic forwarding filter enabled and specific runtime flags set.

📋 TL;DR

This CVE describes a use-after-free vulnerability in Envoy's DNS cache within the Dynamic Forward Proxy implementation. It can cause abnormal process termination (crash) when specific callback conditions trigger new DNS resolutions while removing pending ones. Affected systems are Envoy deployments with dynamic forwarding filter enabled and specific runtime flags set.

💻 Affected Systems

Products:

Envoy Proxy

Versions: 1.34.0 through 1.34.4, 1.35.0

Operating Systems: All platforms running Envoy

Default Config Vulnerable: ✅ No

Notes: Requires dynamic Forwarding Filter enabled, envoy.reloadable_features.dfp_cluster_resolves_hosts runtime flag enabled, and Host header modification between Dynamic Forwarding Filter and Router filters.

📦 What is this software?

Envoy by Envoyproxy

View all CVEs affecting Envoy →

Envoy by Envoyproxy

View all CVEs affecting Envoy →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Denial of service causing Envoy proxy crashes, disrupting all traffic routing through affected instances and potentially cascading to dependent services.

🟠

Likely Case

Intermittent Envoy process crashes leading to service disruptions, connection drops, and degraded performance until processes restart.

🟢

If Mitigated

With proper monitoring and automatic restart mechanisms, impact is limited to brief service interruptions during crash/recovery cycles.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires specific configuration conditions but no authentication. Triggering requires manipulating traffic to create the callback race condition.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.34.5, 1.35.1

Vendor Advisory: https://github.com/envoyproxy/envoy/security/advisories/GHSA-g9vw-6pvx-7gmw

Restart Required: Yes

Instructions:

1. Download patched version from official releases. 2. Replace existing Envoy binary. 3. Restart Envoy service. 4. Verify version with envoy --version.

🔧 Temporary Workarounds

Disable runtime flag

all

Set the envoy.reloadable_features.dfp_cluster_resolves_hosts runtime flag to false to prevent the vulnerable code path.

Set runtime flag: envoy.reloadable_features.dfp_cluster_resolves_hosts = false

🧯 If You Can't Patch

Disable dynamic Forwarding Filter if not required for functionality
Implement aggressive health checking and automatic restart for Envoy processes

🔍 How to Verify

Check if Vulnerable:

Check Envoy version with 'envoy --version' and verify configuration has dynamic Forwarding Filter enabled with the problematic runtime flag.

Check Version:

envoy --version

Verify Fix Applied:

Confirm version is 1.34.5+ or 1.35.1+ and monitor for abnormal process terminations.

📡 Detection & Monitoring

Log Indicators:

Envoy process crashes
Abnormal termination messages
DNS resolution errors in logs

Network Indicators:

Sudden drops in proxy traffic
Increased connection timeouts
DNS query failures

SIEM Query:

process.name="envoy" AND (event.action="crash" OR log.level="error" AND message CONTAINS "termination")

📊 Metadata

CVE ID: CVE-2025-54588

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-416

EPSS Score: 0.01% exploit probability (0.7th percentile)

Published: September 3, 2025

Last Updated: September 8, 2025

🔗 References

https://github.com/envoyproxy/envoy/releases/tag/v1.34.5 Release Notes
https://github.com/envoyproxy/envoy/releases/tag/v1.35.1 Release Notes
https://github.com/envoyproxy/envoy/security/advisories/GHSA-g9vw-6pvx-7gmw Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-54588, you might also want to check these: