Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN609
_____________________________________________________________________

DATE                : 15/09/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running envoy (Go) versions prior to
                                   1.35.1, 1.34.5.

=====================================================================
https://github.com/envoyproxy/envoy/security/advisories/GHSA-g9vw-6pvx-7gmw
_____________________________________________________________________


Use after free in DNS cache
High
phlax published GHSA-g9vw-6pvx-7gmw Sep 2, 2025

Package
github.com/envoyproxy/envoy (Go)

Affected versions
1.35.0, 1.34.0-4

Patched versions
1.35.1, 1.34.5


Description

Summary

A use-after-free (UAF) vulnerability in Envoy's DNS cache causes
abnormal process termination. Envoy may reallocate memory when
processing a pending DNS resolution, causing list iterator to
reference freed memory.


Details

The vulnerability exists in Envoy's Dynamic Forward Proxy
implementation starting from version v1.34.0. The issue occurs
when a completion callback for a DNS resolution triggers new DNS
resolutions or removes existing pending resolutions. This condition
may occur in the following configuration:

    Dynamic Forwarding Filter is enabled.
    envoy.reloadable_features.dfp_cluster_resolves_hosts runtime
flag is enabled.
    The Host header is modified between the Dynamic Forwarding
Filter and Router filters.


Impact

Denial of service due to abnormal process termination.


Attack vector(s)

Request to Envoy configured as indicated above.


Patches

Users should upgrade to v1.35.1 or v1.34.5.


Workaround

Set the envoy.reloadable_features.dfp_cluster_resolves_hosts
runtime flag to false.


Detection

Abnormal process termination with the
Envoy::Event::DispatcherImpl::runPostCallbacks() frame in the
call stack.


Credits

Rohit Agrawal (agrawroh) (rohit.agrawal@databricks.com)
Severity
High
7.5/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE ID
CVE-2025-54588

Weaknesses
Weakness CWE-416


Credits

    @agrawroh agrawroh Finder
    @yanavlasov yanavlasov Remediation developer
    @phlax phlax Coordinator
    @botengyao botengyao Remediation reviewer


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================