CVE-2025-55162 is a medium severity vulnerability affecting the Envoy proxy, specifically in its OAuth2 filter implementation. Envoy is a widely used open-source Layer 7 proxy and communication bus designed for modern service-oriented architectures. The vulnerability arises from insufficient session expiration handling when the OAuth2 filter is configured to use cookies with the __Secure- or __Host- prefixes. These prefixes require the Secure attribute to be set on cookies to ensure they are only transmitted over HTTPS connections. However, in affected versions of Envoy (all versions below 1.32.10 and versions 1.33.0 through 1.33.6, 1.34.0 through 1.34.4, and 1.35.0), the filter fails to append the Secure attribute to the Set-Cookie header during cookie deletion. Modern browsers, adhering strictly to cookie security policies, ignore such deletion requests that lack the Secure attribute on these prefixed cookies. Consequently, session cookies persist even after a user attempts to log out, leaving the session active. This flaw creates a session hijacking risk, particularly on shared computers, where subsequent users of the same browser can gain unauthorized access to the original user's session and data. The root cause is that the implementation iterates through configured cookie names to generate deletion headers but does not verify or enforce the Secure attribute for cookies with these special prefixes. The vulnerability does not affect availability but impacts confidentiality significantly by allowing unauthorized session access. The issue requires user interaction (logout action) and privileges (the user must be logged in), but no elevated privileges are needed to exploit it. The vulnerability has been fixed in Envoy versions 1.32.10, 1.33.7, 1.34.5, and 1.35.1. The CVSS 3.1 score is 6.3, reflecting medium severity with high confidentiality impact, low integrity impact, and no availability impact.

For European organizations, this vulnerability poses a tangible risk to user session confidentiality, especially in environments where Envoy is deployed as an OAuth2 proxy for authentication and session management. Organizations using affected Envoy versions may experience session hijacking incidents, particularly in shared workstation scenarios such as public terminals, shared office computers, or environments with multiple users on the same device. This can lead to unauthorized access to sensitive corporate resources, personal data, or internal applications, potentially violating GDPR requirements around data protection and user privacy. The persistence of session cookies after logout undermines user trust and can facilitate lateral movement within networks if attackers gain access to active sessions. Although the vulnerability does not directly affect system integrity or availability, the confidentiality breach can have severe compliance and reputational consequences. Given Envoy's popularity in cloud-native and microservices architectures, many European enterprises and service providers integrating OAuth2 authentication may be impacted if they have not updated to patched versions. The risk is heightened in sectors with strict data protection mandates such as finance, healthcare, and government, where session hijacking could expose critical personal or financial data.

European organizations should immediately audit their Envoy deployments to identify affected versions. Upgrading to the fixed versions (1.32.10, 1.33.7, 1.34.5, or 1.35.1) is the primary and most effective mitigation. Where immediate upgrade is not feasible, organizations should consider the following additional measures: 1) Review and adjust OAuth2 filter cookie configurations to avoid using __Secure- or __Host- prefixed cookie names until patched versions are deployed. 2) Implement additional session management controls such as server-side session invalidation and short session lifetimes to reduce the window of exposure. 3) Enforce multi-factor authentication (MFA) to mitigate unauthorized access even if session hijacking occurs. 4) Monitor logs for anomalous session activity indicative of hijacking attempts. 5) Educate users about the risks of shared device usage and encourage explicit browser session termination or use of private browsing modes. 6) Deploy web application firewalls (WAFs) or proxy rules to detect and block suspicious session reuse patterns. These targeted mitigations complement patching and help reduce risk in the interim.