CVE-2025-54588

Name of the Vulnerable Software and Affected Versions Envoy versions 1.34.0 through 1.34.4 Envoy version 1.35.0

Description Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. Affected versions contain a use-after-free (UAF) vulnerability in the DNS cache, leading to abnormal process termination. The issue occurs in Envoy's Dynamic Forward Proxy implementation when a completion callback for a DNS resolution triggers new DNS resolutions or removes existing pending resolutions. This condition may occur when the dynamic Forwarding Filter is enabled, the envoy.reloadable features.dfp cluster resolves hosts runtime flag is enabled, and the Host header is modified between the Dynamic Forwarding Filter and Router filters.

Recommendations Envoy versions 1.34.0 through 1.34.4: Upgrade to version 1.34.5 or later. Envoy version 1.35.0: Upgrade to version 1.35.1 or later. As a workaround for all affected versions, set the envoy.reloadable features.dfp cluster resolves hosts runtime flag to false.