CNNVD-202509-245 Information

CNNVD ID

CNNVD-202509-245

Related CVE

CVE-2025-55162

• CNNVD Published: 2025-09-03

Description (Chinese)

Envoy是Enphase开源的一款用于连接智能家居设备的网关程序。 Envoy存在代码问题漏洞，该漏洞源于OAuth2 过滤器在删除 __Secure-/__Host- 前缀的会话 Cookie 时漏加 Secure 属性，导致浏览器拒绝删除指令，用户登出后会话仍存活。以下版本受到影响：1.32.10之前版本、1.33.0至1.33.6版本、1.34.0至1.34.4版本和1.35.0版本。

Description (English)

Envoy is an enphase open source gateway to connect smart home devices. Envoy has a code problem loophole, which stems from the fact that the OAuth2 filter omitted the Secure attribute when deleting Secure-/ Host-prefixed session Cookie, leading the browser to refuse to delete the command and the user is still alive after posting. The following versions were affected: 1.32.10, 1.33.0 to 1.33.6, 1.34.0 to 1.34.4 and 1.35.0.

Hazard Level

High

Vulnerability Type

代码问题

Affected Vendor

Enphase

Published

2025-09-03

Last Modified

2026-02-24

References

https://github.com/envoyproxy/envoy/releases/tag/v1.35.1 https://github.com/envoyproxy/envoy/security/advisories/GHSA-95j4-hw7f-v2rh

Patch

https://www.envoyproxy.io/