Overview
CVE-2025-66220 describes a medium severity vulnerability affecting Envoy, a high-performance edge/middle/service proxy. This vulnerability resides in the mTLS certificate matching logic when using match_typed_subject_alt_names. Specifically, certificates containing an embedded null byte (\0) within an OTHERNAME Subject Alternative Name (SAN) value can be incorrectly treated as valid matches, potentially leading to an mTLS bypass.
This affects Envoy versions 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier.
Technical Details
The vulnerability stems from how Envoy parses and validates the OTHERNAME SAN values in client certificates during mTLS authentication. The match_typed_subject_alt_names feature allows Envoy to match specific SAN values against a configured list. However, the affected versions fail to properly handle embedded null bytes (\0) within the OTHERNAME value. This means an attacker could craft a certificate with a malicious OTHERNAME value containing a null byte followed by characters intended to bypass the matching logic.
For example, if Envoy is configured to match the OTHERNAME with the value “valid.domain.com“, an attacker could create a certificate with the OTHERNAME value “invalid\0.domain.com“. Due to the parsing error, Envoy might incorrectly treat this as a valid match.
CVSS Analysis
- CVE ID: CVE-2025-66220
- Severity: MEDIUM
- CVSS Score: 5.0
A CVSS score of 5.0 indicates a medium severity vulnerability. While the vulnerability requires a specific configuration (mTLS with match_typed_subject_alt_names) and a crafted certificate, successful exploitation could lead to unauthorized access and privilege escalation.
Possible Impact
A successful exploit of CVE-2025-66220 could have the following impacts:
- mTLS Bypass: An attacker could bypass mTLS authentication, gaining unauthorized access to protected resources.
- Data Exposure: Unauthorized access could lead to the exposure of sensitive data.
- Service Disruption: An attacker could potentially disrupt services by injecting malicious requests.
- Privilege Escalation: If the compromised service has elevated privileges, the attacker could gain broader control over the system.
Mitigation and Patch Steps
The recommended mitigation is to upgrade Envoy to a patched version. Check the official Envoy project for specific patched versions and release notes.
Upgrade Instructions:
Follow the official Envoy upgrade instructions available on the project website. Ensure a thorough testing process in a non-production environment before deploying the update to production.
Workarounds (If Upgrading is Immediately Not Possible):
While upgrading is the preferred solution, consider these temporary workarounds:
- Review mTLS Configurations: Carefully examine your Envoy configurations, specifically those using
match_typed_subject_alt_names. Ensure that the expected SAN values are strictly validated. - Implement Certificate Revocation: Implement and actively maintain a certificate revocation list (CRL) or use the Online Certificate Status Protocol (OCSP) to revoke potentially malicious certificates.
