CVE-2025-54588: Envoy: Race condition in Dynamic Forward Proxy leads to use-after-free and segmentation faults

Published Sep 2, 2025
·
Updated

### Summary A use-after-free (UAF) vulnerability in Envoy's DNS cache causes abnormal process termination. Envoy may reallocate memory when processing a pending DNS resolution, causing list iterator to reference freed memory. ### Details The vulnerability exists in Envoy's Dynamic Forward Proxy implementation starting from version v1.34.0. The issue occurs when a completion callback for a DNS resolution triggers new DNS resolutions or removes existing pending resolutions. This condition may occur in the following configuration: 1. Dynamic Forwarding Filter is enabled. 2. `envoy.reloadable_features.dfp_cluster_resolves_hosts` runtime flag is enabled. 3. The Host header is modified between the Dynamic Forwarding Filter and Router filters. ### Impact Denial of service due to abnormal process termination. ### Attack vector(s) Request to Envoy configured as indicated above. ### Patches Users should upgrade to v1.35.1 or v1.34.5. ### Workaround Set the `envoy.reloadable_features.dfp_cluster_resolves_hosts` runtime flag to `false`. ### Detection Abnormal process termination with the `Envoy::Event::DispatcherImpl::runPostCallbacks()` frame in the call stack. ### Credits Rohit Agrawal ([agrawroh](https://github.com/agrawroh)) ([rohit.agrawal@databricks.com](mailto:rohit.agrawal@databricks.com))

Affected Software

5 affected componentsFixes available
Envoy Envoy>=1.34.0<=1.34.4
Envoyproxy Envoy>=1.34.0<1.34.5
Envoyproxy Envoy=1.35.0
go/github.com/envoyproxy/envoy>=1.34.0<1.34.5
1.34.5
go/github.com/envoyproxy/envoy=1.35.0
1.35.1

Remediation

Patch Available

https://github.com/envoyproxy/envoy/security/advisories/GHSA-g9vw-6pvx-7gmw

Event History

Sep 2, 2025
CVE Published
via MITRE·11:39 PM
Data Sourced
via MITRE·11:39 PM
DescriptionSeverityWeakness
Sep 3, 2025
Data Sourced
via NVD·12:15 AM
RemedyDescriptionSeverityWeaknessAffected Software
Sep 15, 2025
Advisory Published
via GitHub·04:46 PM
Data Sourced
via GitHub·04:46 PM
DescriptionSeverityWeaknessAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2025-54588?

CVE-2025-54588 is classified as a high-severity vulnerability due to its potential to cause abnormal termination of processes.

2

What versions of Envoy are affected by CVE-2025-54588?

CVE-2025-54588 affects Envoy versions 1.34.0 through 1.34.4 and also 1.35.0.

3

How do I fix CVE-2025-54588?

To remediate CVE-2025-54588, upgrade to Envoy version 1.34.5 or 1.35.1 or later.

4

What is a use-after-free vulnerability in the context of CVE-2025-54588?

A use-after-free vulnerability, like CVE-2025-54588, occurs when a program continues to use a memory resource after it has been freed, leading to potential crashes or exploitation.

5

What impact does CVE-2025-54588 have on system stability?

CVE-2025-54588 can lead to unexpected crashes and system instability due to the abnormal termination of processes related to the DNS cache.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203
CVE-2025-54588 - Envoy: Race condition in Dynamic Forward Proxy leads to use-after-free and segmentation faults - SecAlerts