CVE-2025-66220 — Improper Null Termination in Envoyproxy Envoy

CWE-170 — Improper Null Termination5 documents5 sources

Severity

7.1HIGHNVD

CNA5.0

EPSS

0.0%

top 99.95%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Envoyproxy Envoy Envoyproxy Envoy

Timeline

PublishedDec 3

Latest updateDec 5

Description

Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, Envoy’s mTLS certificate matcher for match_typed_subject_alt_names may incorrectly treat certificates containing an embedded null byte (\0) inside an OTHERNAME SAN value as valid matches.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:NExploitability: 2.8 | Impact: 4.2

Affected Packages3 packages

▶NVDenvoyproxy/envoy1.34.0 — 1.34.11+3

▶Gogithub.com/envoyproxy_envoy1.36.0 — 1.36.3+3

▶CVEListV5envoyproxy/envoy1.33.12+3

🔴Vulnerability Details

OSV

Envoy's TLS certificate matcher for `match_typed_subject_alt_names` may incorrectly treat certificates containing an embedded null byte↗2025-12-05

▶

GHSA

Envoy's TLS certificate matcher for `match_typed_subject_alt_names` may incorrectly treat certificates containing an embedded null byte↗2025-12-05

▶

CVEList

Envoy’s TLS certificate matcher for `match_typed_subject_alt_names` may incorrectly treat certificates containing an embedded null byte↗2025-12-03

▶

📋Vendor Advisories

Red Hat

envoy: Envoy: mTLS certificate validation bypass via embedded null byte in SAN↗2025-12-03

▶