This release note describes the changes of Solo builds between Istio versions 1.25.4 and 1.25.5.

Security Notice

This build includes a fix of the Envoy CVE:

  • CVE-2025-55162 (CVSS score: 6.3, Moderate): “oAuth2 Filter Signout route will not clear cookies because of missing ‘Secure;’ flag.”

General

This version was built against upstream Istio release 1.25.5.

  • Added the telemetry field pilot_xds_recv_max to allow monitoring the maximum size of XDS requests received through gRPC. This is a backport from upstream feature that will be introduced in Istio 1.28.