CVE-2025-55162 is a vulnerability in the Envoy proxy's OAuth2 filter related to insufficient session expiration handling. Envoy is a widely used open-source Layer 7 proxy designed to facilitate communication in modern service-oriented architectures. The vulnerability affects versions below 1.32.10, 1.33.0 through 1.33.6, 1.34.0 through 1.34.4, and 1.35.0. The core issue lies in the OAuth2 filter's failure to properly delete session cookies when they are configured with __Secure- or __Host- prefixed cookie names. Specifically, during logout operations, the filter attempts to delete cookies by setting Set-Cookie headers but neglects to append the Secure attribute required by modern browsers for cookies with these prefixes. As a result, browsers ignore the deletion request, causing session cookies to persist even after logout. This flaw allows a user to remain logged in on a shared or public computer, enabling subsequent users of the same browser to hijack the session and gain unauthorized access to the original user's account and data. The vulnerability stems from the implementation iterating through configured cookie names without validating or adjusting for the __Secure- or __Host- prefixes, leading to malformed deletion headers. This issue compromises confidentiality by allowing unauthorized access to user sessions but does not directly affect integrity or availability. The vulnerability requires some level of privileges (PR:L) and user interaction (UI:R) to exploit, as the attacker must have access to the same browser environment. The flaw has been fixed in Envoy versions 1.32.10, 1.33.7, 1.34.5, and 1.35.1. The CVSS v3.1 base score is 6.3 (medium severity), reflecting a network attack vector with low complexity but requiring privileges and user interaction, with high confidentiality impact and low integrity impact.

For European organizations, this vulnerability poses a significant risk in environments where Envoy is deployed as a proxy or gateway, especially in service-oriented or microservices architectures that rely on OAuth2 for authentication. The persistence of session cookies after logout can lead to session hijacking, particularly in shared workstation scenarios such as corporate kiosks, hot desks, or public terminals. This can result in unauthorized access to sensitive corporate data, user accounts, and internal services, potentially violating GDPR requirements around data confidentiality and user privacy. The risk is heightened in sectors with stringent compliance needs such as finance, healthcare, and government institutions. Although the vulnerability does not allow remote code execution or direct system compromise, the unauthorized access to user sessions can facilitate lateral movement or data exfiltration within an organization. The medium severity rating suggests that while the vulnerability is not trivially exploitable remotely without privileges, the impact on confidentiality is substantial enough to warrant urgent remediation in affected environments.

European organizations should prioritize upgrading Envoy to the fixed versions 1.32.10, 1.33.7, 1.34.5, or 1.35.1 as soon as possible to ensure the OAuth2 filter correctly handles cookie deletion with the Secure attribute. In addition to patching, organizations should audit their OAuth2 cookie configurations to verify that __Secure- and __Host- prefixed cookies are used correctly and that session management policies enforce strict logout procedures. Implementing additional session invalidation mechanisms server-side can help mitigate risks if client-side cookie deletion fails. Organizations should also enforce strict browser policies on shared devices, including clearing browser caches and cookies upon session termination and restricting access to shared terminals. Monitoring for unusual session reuse or concurrent logins can help detect exploitation attempts. Finally, security teams should review their incident response plans to include scenarios involving session hijacking and unauthorized access due to persistent cookies.