CVE-2025-66220

Summary

Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, Envoy’s mTLS certificate matcher for match_typed_subject_alt_names may incorrectly treat certificates containing an embedded null byte (\0) inside an OTHERNAME SAN value as valid matches.

Affected Software

VendorProductVersion RangeStatus
envoyproxyenvoy>= 1.36.0, <= 1.36.2affected
envoyproxyenvoy>= 1.35.0, <= 1.35.6affected
envoyproxyenvoy>= 1.34.0, <= 1.34.10affected
envoyproxyenvoy<= 1.33.12affected

Weaknesses

  • CWE-170: CWE-170: Improper Null Termination

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References