CVE-2025-66220
MEDIUM
CVSS 5.0
No EPSS data
Description
Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, Envoyβs mTLS certificate matcher for match_typed_subject_alt_names may incorrectly treat certificates containing an embedded null byte (\0) inside an OTHERNAME SAN value as valid matches.
CVSS details
EPSS
This CVE is not currently listed in the EPSS dataset.
Show JSON
{
"cve": {
"id": "CVE-2025-66220",
"cveTags": [],
"metrics": {
"cvssMetricV31": [
{
"type": "Secondary",
"source": "security-advisories@github.com",
"cvssData": {
"scope": "UNCHANGED",
"version": "3.1",
"baseScore": 5,
"attackVector": "NETWORK",
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N",
"integrityImpact": "LOW",
"userInteraction": "NONE",
"attackComplexity": "HIGH",
"availabilityImpact": "NONE",
"privilegesRequired": "HIGH",
"confidentialityImpact": "HIGH"
},
"impactScore": 4.2,
"exploitabilityScore": 0.7
},
{
"type": "Primary",
"source": "nvd@nist.gov",
"cvssData": {
"scope": "UNCHANGED",
"version": "3.1",
"baseScore": 7.1,
"attackVector": "NETWORK",
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"integrityImpact": "LOW",
"userInteraction": "NONE",
"attackComplexity": "LOW",
"availabilityImpact": "NONE",
"privilegesRequired": "LOW",
"confidentialityImpact": "HIGH"
},
"impactScore": 4.2,
"exploitabilityScore": 2.8
}
]
},
"published": "2025-12-03T19:15:58.010",
"references": [
{
"url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-rwjg-c3h2-f57p",
"tags": [
"Exploit",
"Vendor Advisory"
],
"source": "security-advisories@github.com"
}
],
"vulnStatus": "Analyzed",
"weaknesses": [
{
"type": "Secondary",
"source": "security-advisories@github.com",
"description": [
{
"lang": "en",
"value": "CWE-170"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, Envoy\u2019s mTLS certificate matcher for match_typed_subject_alt_names may incorrectly treat certificates containing an embedded null byte (\\0) inside an OTHERNAME SAN value as valid matches."
}
],
"lastModified": "2025-12-05T15:44:26.663",
"configurations": [
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "B303FFFE-9973-4E7E-8A8C-DE847B725534",
"versionEndExcluding": "1.33.13"
},
{
"criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "4419A82D-995F-4DD0-BAE1-3825791245D3",
"versionEndExcluding": "1.34.11",
"versionStartIncluding": "1.34.0"
},
{
"criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "C50E067C-AE0D-4B14-A442-53603039EFCD",
"versionEndExcluding": "1.35.7",
"versionStartIncluding": "1.35.0"
},
{
"criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "B39C3DF2-E73F-4B66-9504-C24E329ACB54",
"versionEndExcluding": "1.36.3",
"versionStartIncluding": "1.36.0"
}
],
"operator": "OR"
}
]
}
],
"sourceIdentifier": "security-advisories@github.com"
}
}