Skip to content
home
main
Reference
Changelog
Solo distribution of Istio changelog
1.25
You are viewing the documentation for Solo Enterprise for Istio, formerly known as Gloo Mesh (OSS APIs). This version of the documentation is currently under development. Select latest from the version drop down or go to the landing page of the latest stable version.

1.25.5-patch5

Page as Markdown
Solo build of Istio version 1.25.5-patch5 patch release.
This release note describes what’s different between Solo builds of Istio versions 1.25.5-patch4 and 1.25.5-patch5.
Security Notice

Envoy CVEs

  • CVE-2026-26308: (CVSS score 7.5, High): Fixed RBAC header matcher to validate each header value individually instead of concatenating multiple header values into a single string. This prevents potential bypasses when requests contain multiple values for the same header.
  • CVE-2026-26311: (CVSS score 5.9, Medium): Fixed an issue where filter chain execution could continue on HTTP streams that had been reset but not yet destroyed, potentially causing use-after-free conditions.
  • CVE-2026-26310: (CVSS score 5.9, Medium): Fixed a crash in Utility::getAddressWithPort when called with a scoped IPv6 address (e.g., fe80::1%eth0).
  • CVE-2026-26309: (CVSS score 5.3, Medium): Fixed an off-by-one write in JsonEscaper::escapeString() that could corrupt the string null terminator.
Istio CVEs

The following security fixes were backported:
Other Istio Security Fixes

The following security fixes were backported:
  • Fixed XDS debug endpoints on plaintext port 15010 to require authentication, preventing unauthenticated access to proxy configuration.
  • Fixed potential SSRF in WasmPlugin image fetching by validating bearer token realm URLs.
  • Fixed HTTP debug endpoints on port 15014 to enforce namespace-based authorization, preventing cross-namespace proxy data access.
Solo Flavor Changes

No changes in this section.
FIPS Flavor Changes

No changes in this section.
Last updated on 
1.25.5-patch61.25.5-patch4