CVE-2025-54588 is a high-severity use-after-free (UAF) vulnerability affecting the Envoy proxy, specifically versions 1.34.0 through 1.34.4 and 1.35.0. Envoy is a widely used open-source Layer 7 proxy and communication bus designed for modern service-oriented architectures, often deployed in cloud-native environments and microservices infrastructures. The vulnerability resides in Envoy's Dynamic Forward Proxy (DFP) implementation within the DNS cache subsystem. It occurs when a DNS resolution completion callback triggers additional DNS resolutions or removes pending resolutions, under specific runtime conditions: the dynamic Forwarding Filter must be enabled, the runtime flag `envoy.reloadable_features.dfp_cluster_resolves_hosts` set to true, and the Host header is modified between the Dynamic Forwarding Filter and Router filters. This sequence leads to a use-after-free condition, causing abnormal process termination (crash) of the Envoy proxy. While the vulnerability does not directly compromise confidentiality or integrity, the resulting denial of service (DoS) can disrupt critical network traffic routing and service availability. The issue is resolved in versions 1.34.5 and 1.35.1. As a workaround, disabling the runtime flag `envoy.reloadable_features.dfp_cluster_resolves_hosts` to false prevents the problematic behavior. No known exploits are reported in the wild as of the publication date. The CVSS 3.1 score is 7.5 (high), reflecting the network attack vector, low attack complexity, no privileges or user interaction required, and a high impact on availability but no impact on confidentiality or integrity.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on Envoy as a critical component in their service mesh, API gateway, or microservices infrastructure. A successful exploitation leads to process crashes, causing denial of service and potential disruption of business-critical applications and services. This can affect sectors such as finance, telecommunications, healthcare, and government services where high availability and reliability are mandatory. The disruption may also cascade in complex distributed systems, impacting multiple dependent services. Although no data breach or integrity compromise is indicated, the availability impact alone can result in financial losses, regulatory non-compliance (e.g., under GDPR for service continuity), and reputational damage. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits post-disclosure.

European organizations should promptly upgrade Envoy to versions 1.34.5 or 1.35.1 where the vulnerability is fixed. If immediate upgrade is not feasible, the recommended workaround is to set the runtime flag `envoy.reloadable_features.dfp_cluster_resolves_hosts` to false, effectively disabling the problematic DNS resolution behavior. Additionally, organizations should audit their Envoy configurations to verify if the dynamic Forwarding Filter is enabled and whether Host header modifications occur between the Dynamic Forwarding Filter and Router filters, as these conditions trigger the vulnerability. Implementing robust monitoring and alerting for Envoy process crashes can help detect exploitation attempts early. Network segmentation and limiting exposure of Envoy instances to untrusted networks can reduce attack surface. Finally, maintaining an up-to-date inventory of Envoy versions deployed across environments and integrating vulnerability scanning into CI/CD pipelines will help prevent future exposure.