CVE-2025-54588

描述

### Summary A use-after-free (UAF) vulnerability in Envoy's DNS cache causes abnormal process termination. Envoy may reallocate memory when processing a pending DNS resolution, causing list iterator to reference freed memory. ### Details The vulnerability exists in Envoy's Dynamic Forward Proxy implementation starting from version v1.34.0. The issue occurs when a completion callback for a DNS resolution triggers new DNS resolutions or removes existing pending resolutions. This condition may occur in the following configuration: 1. Dynamic Forwarding Filter is enabled. 2. `envoy.reloadable_features.dfp_cluster_resolves_hosts` runtime flag is enabled. 3. The Host header is modified between the Dynamic Forwarding Filter and Router filters. ### Impact Denial of service due to abnormal process termination. ### Attack vector(s) Request to Envoy configured as indicated above. ### Patches Users should upgrade to v1.35.1 or v1.34.5. ### Workaround Set the `envoy.reloadable_features.dfp_cluster_resolves_hosts` runtime flag to `false`. ### Detection Abnormal process termination with the `Envoy::Event::DispatcherImpl::runPostCallbacks()` frame in the call stack. ### Credits Rohit Agrawal ([agrawroh](https://github.com/agrawroh)) ([[email protected]](mailto:[email protected]))

受影響套件(2)

• Bitnami/envoy>= 1.34.0, < 1.34.5, >= 1.35.0, < 1.35.1
• Go/github.com/envoyproxy/envoy>= 1.35.0, < 1.35.1

CVSS 分數

參考連結(5)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-54588
• PATCHhttps://github.com/envoyproxy/envoy
• WEBhttps://github.com/envoyproxy/envoy/releases/tag/v1.34.5
• WEBhttps://github.com/envoyproxy/envoy/releases/tag/v1.35.1
• WEBhttps://github.com/envoyproxy/envoy/security/advisories/GHSA-g9vw-6pvx-7gmw