Login Sign Up

CVE-2025-66220

5.0 MEDIUM
Authentication Bypass

📋 TL;DR

Envoy's mTLS certificate matcher incorrectly validates certificates with embedded null bytes in OTHERNAME SAN values, potentially allowing unauthorized access. This affects Envoy proxy deployments using mTLS with match_typed_subject_alt_names configuration. Organizations using affected Envoy versions for service-to-service communication are at risk.

💻 Affected Systems

Products:
  • Envoy Proxy
Versions: 1.33.12, 1.34.10, 1.35.6, 1.36.2 and earlier
Operating Systems: All platforms running Envoy
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when using mTLS with match_typed_subject_alt_names configuration

📦 What is this software?

Envoy by Envoyproxy

View all CVEs affecting Envoy →

Envoy by Envoyproxy

View all CVEs affecting Envoy →

Envoy by Envoyproxy

View all CVEs affecting Envoy →

Envoy by Envoyproxy

View all CVEs affecting Envoy →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could bypass mTLS authentication and gain unauthorized access to internal services, potentially leading to data exfiltration or lateral movement.

🟠

Likely Case

Unauthorized clients could establish connections to services they shouldn't have access to, violating security boundaries.

🟢

If Mitigated

With proper network segmentation and additional authentication layers, impact would be limited to specific services.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires ability to craft certificates with embedded null bytes and access to mTLS-enabled endpoints

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.33.13, 1.34.11, 1.35.7, 1.36.3

Vendor Advisory: https://github.com/envoyproxy/envoy/security/advisories/GHSA-rwjg-c3h2-f57p

Restart Required: Yes

Instructions:

1. Update Envoy to patched version. 2. Restart Envoy service. 3. Verify configuration remains valid.

🔧 Temporary Workarounds

Disable match_typed_subject_alt_names

all

Remove or disable match_typed_subject_alt_names configuration if not required

# Edit Envoy configuration to remove match_typed_subject_alt_names

🧯 If You Can't Patch

  • Implement network segmentation to limit blast radius
  • Add additional authentication layers beyond mTLS

🔍 How to Verify

Check if Vulnerable:

Check Envoy version and verify if match_typed_subject_alt_names is configured in mTLS settings

Check Version:

envoy --version

Verify Fix Applied:

Verify Envoy version is patched and test mTLS connections with certificates containing null bytes

📡 Detection & Monitoring

Log Indicators:

  • Unexpected mTLS connections from unauthorized certificates
  • Certificate validation errors

Network Indicators:

  • Unusual traffic patterns from mTLS endpoints
  • Connections with malformed certificates

SIEM Query:

source="envoy" AND ("certificate" OR "mTLS") AND ("error" OR "invalid")

📊 Metadata

CVE ID: CVE-2025-66220
CVSS v3 Score: 5.0 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N
CWE: CWE-170
EPSS Score: 0% exploit probability (0th percentile)
Published: December 3, 2025
Last Updated: December 5, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66220, you might also want to check these:

CVE-2021-1469 9.9

Multiple vulnerabilities in Cisco Jabber across Windows, macOS, and mobile platforms allow attackers...

Same vulnerability type (CWE-170)
CVE-2021-1411 9.9

Multiple vulnerabilities in Cisco Jabber across Windows, macOS, and mobile platforms could allow att...

Same vulnerability type (CWE-170)
CVE-2021-1418 9.9

Multiple vulnerabilities in Cisco Jabber across Windows, macOS, and mobile platforms allow attackers...

Same vulnerability type (CWE-170)