CVE-2025-66220 MEDIUM

CVE-2025-66220: Envoy’s TLS certificate matcher for `match_typed_subject_alt_names` may incorrectly treat certificates containing an embedded null byte

Vendor Envoyproxy
Product envoy
Weakness CWE-170
Published December 3, 2025
Last update December 3, 2025

CVSS base score

5.0/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction None
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N

What the vulnerability does

01Description

Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, Envoy’s mTLS certificate matcher for match_typed_subject_alt_names may incorrectly treat certificates containing an embedded null byte (\0) inside an OTHERNAME SAN value as valid matches.

Key dates

02Disclosure timeline

December 3, 2025 CVE published
December 3, 2025 Record updated