Security releases of Envoy 1.35.2, 1.34.6, 1.33.8 and 1.32.11 are now available

12 views

Skip to first unread message

Yan Avlasov

unread,

Sep 3, 2025, 11:19:12 AM (6 days ago) Sep 3

to envoy-secur...@googlegroups.com, envoy-a...@googlegroups.com, envoy-security, Envoy-maintainers

Hello Envoy Community,

The Envoy security team would like to announce the availability of Envoy 1.35.2, 1.34.6, 1.33.8 and 1.32.11.
This addresses the following CVE(s):

* CVE-2025-55162 (CVSS score 6.3/10) add missing secure attribute to OAuth sign out cookies.
* CVE-2025-54588 (CVSS score 7.5/10) fix use-after-free in DNS resolution.

Upgrading to 1.35.2, 1.34.6, 1.33.8 and 1.32.11 is encouraged to fix these issues.

GitHub tag: https://github.com/envoyproxy/envoy/releases/tag/v1.35.2
Docker images: https://hub.docker.com/r/envoyproxy/envoy/tags
Release notes: https://www.envoyproxy.io/docs/envoy/v1.35.2/version_history/current.rst
Docs: https://www.envoyproxy.io/docs/envoy/v1.35.2/

For more information about fixed vulnerabilities please see the following links:

Missing OAuth secure attributes, CVE-2025-55162: https://github.com/envoyproxy/envoy/security/advisories/GHSA-95j4-hw7f-v2rh
UAF in DNS resolution, CVE-2025-54588: https://github.com/envoyproxy/envoy/security/advisories/GHSA-g9vw-6pvx-7gmw

Thanks,

Yan Avlasov (on behalf of the Envoy security team and maintainers)

Reply all

Reply to author

Forward

0 new messages