{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-66220", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-11-24T23:01:29.679Z", "datePublished": "2025-12-03T18:31:50.389Z", "dateUpdated": "2025-12-03T19:10:53.694Z"}, "containers": {"cna": {"title": "Envoy\u2019s TLS certificate matcher for `match_typed_subject_alt_names` may incorrectly treat certificates containing an embedded null byte", "problemTypes": [{"descriptions": [{"cweId": "CWE-170", "lang": "en", "description": "CWE-170: Improper Null Termination", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-rwjg-c3h2-f57p", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-rwjg-c3h2-f57p"}], "affected": [{"vendor": "envoyproxy", "product": "envoy", "versions": [{"version": ">= 1.36.0, <= 1.36.2", "status": "affected"}, {"version": ">= 1.35.0, <= 1.35.6", "status": "affected"}, {"version": ">= 1.34.0, <= 1.34.10", "status": "affected"}, {"version": "<= 1.33.12", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-12-03T18:31:50.389Z"}, "descriptions": [{"lang": "en", "value": "Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, Envoy\u2019s mTLS certificate matcher for match_typed_subject_alt_names may incorrectly treat certificates containing an embedded null byte (\\0) inside an OTHERNAME SAN value as valid matches."}], "source": {"advisory": "GHSA-rwjg-c3h2-f57p", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-03T19:10:43.590627Z", "id": "CVE-2025-66220", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-03T19:10:53.694Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-66220", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-03T19:10:43.590627Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-03T19:10:49.222Z"}}], "cna": {"title": "Envoy\u2019s TLS certificate matcher for `match_typed_subject_alt_names` may incorrectly treat certificates containing an embedded null byte", "source": {"advisory": "GHSA-rwjg-c3h2-f57p", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "envoyproxy", "product": "envoy", "versions": [{"status": "affected", "version": ">= 1.36.0, <= 1.36.2"}, {"status": "affected", "version": ">= 1.35.0, <= 1.35.6"}, {"status": "affected", "version": ">= 1.34.0, <= 1.34.10"}, {"status": "affected", "version": "<= 1.33.12"}]}], "references": [{"url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-rwjg-c3h2-f57p", "name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-rwjg-c3h2-f57p", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, Envoy\u2019s mTLS certificate matcher for match_typed_subject_alt_names may incorrectly treat certificates containing an embedded null byte (\\0) inside an OTHERNAME SAN value as valid matches."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-170", "description": "CWE-170: Improper Null Termination"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-12-03T18:31:50.389Z"}}}, "cveMetadata": {"cveId": "CVE-2025-66220", "state": "PUBLISHED", "dateUpdated": "2025-12-03T19:10:53.694Z", "dateReserved": "2025-11-24T23:01:29.679Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-12-03T18:31:50.389Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "matchCriteriaId": "B303FFFE-9973-4E7E-8A8C-DE847B725534", "versionEndExcluding": "1.33.13", "vulnerable": true}, {"criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "matchCriteriaId": "4419A82D-995F-4DD0-BAE1-3825791245D3", "versionEndExcluding": "1.34.11", "versionStartIncluding": "1.34.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "matchCriteriaId": "C50E067C-AE0D-4B14-A442-53603039EFCD", "versionEndExcluding": "1.35.7", "versionStartIncluding": "1.35.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "matchCriteriaId": "B39C3DF2-E73F-4B66-9504-C24E329ACB54", "versionEndExcluding": "1.36.3", "versionStartIncluding": "1.36.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, Envoy\u2019s mTLS certificate matcher for match_typed_subject_alt_names may incorrectly treat certificates containing an embedded null byte (\\0) inside an OTHERNAME SAN value as valid matches."}], "id": "CVE-2025-66220", "lastModified": "2025-12-05T15:44:26.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-12-03T19:15:58.010", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-rwjg-c3h2-f57p"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-170"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "envoy: Envoy: mTLS certificate validation bypass via embedded null byte in SAN", "id": "2418661", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418661"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.0", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N", "status": "draft"}, "cwe": "CWE-170", "details": ["Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, Envoy\u2019s mTLS certificate matcher for match_typed_subject_alt_names may incorrectly treat certificates containing an embedded null byte (\\0) inside an OTHERNAME SAN value as valid matches.", "A flaw was found in Envoy. This vulnerability allows mTLS (mutual Transport Layer Security) certificate validation bypass via a certificate containing an embedded null byte (\\0) inside an OTHERNAME SAN (Subject Alternative Name) value."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2025-66220", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Affected", "package_name": "openshift-service-mesh/grafana-rhel8", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Affected", "package_name": "openshift-service-mesh/istio-cni-rhel8", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Affected", "package_name": "openshift-service-mesh/istio-must-gather-rhel9", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Affected", "package_name": "openshift-service-mesh/istio-operator-bundle", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Affected", "package_name": "openshift-service-mesh/istio-rhel8-operator", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Affected", "package_name": "openshift-service-mesh/pilot-rhel8", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Affected", "package_name": "openshift-service-mesh/proxyv2-rhel9", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Affected", "package_name": "openshift-service-mesh/ratelimit-rhel8", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:3", "fix_state": "Affected", "package_name": "openshift-service-mesh-dev-preview-beta/istio-ztunnel-rhel9", "product_name": "OpenShift Service Mesh 3"}, {"cpe": "cpe:/a:redhat:service_mesh:3", "fix_state": "Affected", "package_name": "openshift-service-mesh/istio-cni-rhel9", "product_name": "OpenShift Service Mesh 3"}, {"cpe": "cpe:/a:redhat:service_mesh:3", "fix_state": "Affected", "package_name": "openshift-service-mesh/istio-must-gather-rhel9", "product_name": "OpenShift Service Mesh 3"}, {"cpe": "cpe:/a:redhat:service_mesh:3", "fix_state": "Affected", "package_name": "openshift-service-mesh/istio-pilot-rhel9", "product_name": "OpenShift Service Mesh 3"}, {"cpe": "cpe:/a:redhat:service_mesh:3", "fix_state": "Affected", "package_name": "openshift-service-mesh/istio-proxyv2-rhel9", "product_name": "OpenShift Service Mesh 3"}, {"cpe": "cpe:/a:redhat:service_mesh:3", "fix_state": "Affected", "package_name": "openshift-service-mesh/istio-rhel9-operator", "product_name": "OpenShift Service Mesh 3"}, {"cpe": "cpe:/a:redhat:service_mesh:3", "fix_state": "Affected", "package_name": "openshift-service-mesh/istio-sail-operator-bundle", "product_name": "OpenShift Service Mesh 3"}, {"cpe": "cpe:/a:redhat:service_mesh:3", "fix_state": "Affected", "package_name": "openshift-service-mesh/istio-ztunnel-rhel9", "product_name": "OpenShift Service Mesh 3"}, {"cpe": "cpe:/a:redhat:service_mesh:3", "fix_state": "Affected", "package_name": "openshift-service-mesh-tech-preview/istio-ztunnel-rhel9", "product_name": "OpenShift Service Mesh 3"}], "public_date": "2025-12-03T18:31:50Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-66220\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-66220\nhttps://github.com/envoyproxy/envoy/security/advisories/GHSA-rwjg-c3h2-f57p"], "statement": "This vulnerability is rated Moderate for Red Hat products. Envoy's mTLS certificate matcher, when configured with `match_typed_subject_alt_names`, may incorrectly validate certificates containing an embedded null byte in the OTHERNAME SAN field. This could allow an attacker to bypass mTLS authentication if they can present a specially crafted certificate.", "threat_severity": "Moderate"}

{"created": "2025-12-04T16:43:54.928285+00:00", "updated": "2025-12-04T16:43:54.928331+00:00", "vendors": ["envoyproxy", "envoyproxy$PRODUCT$envoy"]}