cbcvebase.
CVE-2025-66220
published 2025-12-03

CVE-2025-66220: Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, Envoy’s mTLS certificate matcher for…

PriorityP336high7.1CVSS 3.1
AVNACLPRLUINSUCHILAN
EPSS
0.16%
5.3th percentile
Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, Envoy’s mTLS certificate matcher for match_typed_subject_alt_names may incorrectly treat certificates containing an embedded null byte (\0) inside an OTHERNAME SAN value as valid matches.

Affected

12 ranges
VendorProductVersion rangeFixed in
envoyproxyenvoy< 1.33.131.33.13
envoyproxyenvoy<= 1.33.12
envoyproxyenvoy
envoyproxyenvoy
envoyproxyenvoy
envoyproxyenvoy>= 1.34.0 < 1.34.111.34.11
envoyproxyenvoy>= 1.35.0 < 1.35.71.35.7
envoyproxyenvoy>= 1.36.0 < 1.36.31.36.3
github.comenvoyproxy_envoy>= 0 < 1.33.131.33.13
github.comenvoyproxy_envoy>= 1.34.0 < 1.34.111.34.11
github.comenvoyproxy_envoy>= 1.35.0 < 1.35.71.35.7
github.comenvoyproxy_envoy>= 1.36.0 < 1.36.31.36.3

CVSS provenance

nvdv3.17.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
vendor_redhat5.0MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.