Description

Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, Envoy’s mTLS certificate matcher for match_typed_subject_alt_names may incorrectly treat certificates containing an embedded null byte (\0) inside an OTHERNAME SAN value as valid matches.

INFO

Published Date :

2025-12-03T18:31:50.389Z

Last Modified :

2025-12-03T19:10:53.694Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-66220 vulnerability.

Vendors Products
Envoyproxy
  • Envoy
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-66220.

URL Resource
https://github.com/envoyproxy/envoy/security/advisories/GHSA-rwjg-c3h2-f57p cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-66220 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-66220 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact