CVE-2025-54588 is a high-severity use-after-free (UAF) vulnerability affecting the Envoy proxy, specifically versions 1.34.0 through 1.34.4 and 1.35.0. Envoy is a widely used open-source Layer 7 proxy and communication bus designed for modern service-oriented architectures, often deployed in microservices environments to manage service-to-service communication. The vulnerability resides in Envoy's Dynamic Forward Proxy implementation, particularly within the DNS cache handling mechanism. The flaw occurs when a DNS resolution completion callback triggers additional DNS resolutions or removes pending resolutions, leading to a use-after-free condition. This can cause abnormal process termination (crashes), impacting the availability of the proxy service. The vulnerability manifests only under specific conditions: the dynamic Forwarding Filter must be enabled, the runtime flag `envoy.reloadable_features.dfp_cluster_resolves_hosts` must be set to true, and the Host header must be modified between the Dynamic Forwarding Filter and Router filters. The issue has been addressed in versions 1.34.5 and 1.35.1. Until patching, a workaround is to disable the runtime flag by setting `envoy.reloadable_features.dfp_cluster_resolves_hosts` to false. The CVSS 3.1 score is 7.5 (high severity) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating that the vulnerability is remotely exploitable without authentication or user interaction, and impacts availability but not confidentiality or integrity. No known exploits are reported in the wild yet.

For European organizations, this vulnerability poses a significant risk to the availability of critical network infrastructure components that rely on Envoy proxies for service mesh, API gateway, or edge proxy functions. Disruption of Envoy instances due to crashes can lead to service outages, degraded performance, and potential cascading failures in microservices architectures. Organizations in sectors such as finance, telecommunications, healthcare, and government—where high availability and reliability are paramount—may experience operational disruptions. Additionally, since Envoy is often used in cloud-native environments and Kubernetes clusters, the vulnerability could affect cloud service providers and enterprises leveraging container orchestration, potentially impacting large-scale deployments. Although the vulnerability does not directly compromise confidentiality or integrity, denial of service conditions can indirectly affect business continuity and service-level agreements (SLAs).

European organizations should prioritize upgrading Envoy to versions 1.34.5 or 1.35.1 where the vulnerability is fixed. If immediate patching is not feasible, the recommended workaround is to disable the runtime flag `envoy.reloadable_features.dfp_cluster_resolves_hosts` by setting it to false, which prevents the vulnerable code path from being exercised. Additionally, organizations should audit their Envoy configurations to verify whether the dynamic Forwarding Filter is enabled and whether Host header modifications occur between the Dynamic Forwarding Filter and Router filters, as these conditions are required to trigger the vulnerability. Monitoring Envoy logs for abnormal process terminations can help detect exploitation attempts or crashes. Implementing robust process supervision and automatic restart mechanisms can mitigate service disruption impact. Network segmentation and limiting exposure of Envoy instances to untrusted networks can reduce attack surface. Finally, organizations should stay alert for any emerging exploit reports and apply security updates promptly.