istio · istio-testing · Oct 27, 2025 · Oct 20, 2025 · Oct 20, 2025
@@ -425,6 +425,8 @@ CVE-2025-30157
 CVE-2025-46821
 CVE-2025-54588
 CVE-2025-55162
+CVE-2025-62409
+CVE-2025-62504
 CVEs
 cves
 cvss

@@ -1,12 +1,12 @@
 ---
-title: ISTIO-SECURITY-2025-001
+title: ISTIO-SECURITY-2025-002
 subtitle: Security Bulletin
 description: CVEs reported by Envoy.
 cves: [CVE-2025-55162, CVE-2025-54588]
-cvss: "7.5"
-vector: "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
-releases: ["1.27.0", "1.26.0 to 1.26.3", "1.25.0 to 1.25.4"]
-publishdate: 2025-09-03
+cvss: "6.6"
+vector: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+releases: ["1.27.0 to 1.27.1", "1.26.0 to 1.26.5"]
+publishdate: 2025-10-20
 keywords: [CVE]
 skip_seealso: true
 ---
@@ -17,9 +17,10 @@ skip_seealso: true
 
 ### Envoy CVEs
 
-- __[CVE-2025-55162](https://github.com/envoyproxy/envoy/security/advisories/GHSA-95j4-hw7f-v2rh)__: (CVSS score 6.3, Moderate): OAuth2 Filter Signout route will not clear cookies because of missing "secure;" flag
-- __[CVE-2025-54588](https://github.com/envoyproxy/envoy/security/advisories/GHSA-g9vw-6pvx-7gmw)__: (CVSS score 7.5, High): Use after free in DNS cache
+- __[CVE-2025-62504](https://nvd.nist.gov/vuln/detail/CVE-2025-62504)__: (CVSS score 6.5, Medium): Lua modified large enough response body will cause Envoy to crash.
+- __[CVE-2025-62409](https://nvd.nist.gov/vuln/detail/CVE-2025-62409)__: (CVSS score 6.6, Medium): Large requests and responses can cause TCP connection pool crash.
 
 ## Am I Impacted?
 
-You are impacted if you are using Istio 1.27.0, 1.26.0 to 1.26.3, or 1.25.0 to 1.25.4, and you use cookies named with prefix `__Secure-` or `__Host-`, or you are using `EnvoyFilter` with `dynamic_forward_proxy`.
+You are impacted if you use Lua via `EnvoyFilter` that returns an oversized response body exceeding the `per_connection_buffer_limit_bytes` (default 1MB) or where you have large requests
+and responses where a connection can be closed but data from upstream is still being sent.