CVE-2025-66220 is a vulnerability identified in the Envoy proxy, a widely used high-performance edge, middle, and service proxy component. The issue stems from improper handling of null termination (CWE-170) in the mTLS certificate matcher, specifically in the match_typed_subject_alt_names feature. Envoy versions 1.33.12 and earlier, as well as versions up to 1.36.2, incorrectly process certificates that contain an embedded null byte (\0) within an OTHERNAME Subject Alternative Name (SAN) field. This improper null termination causes Envoy to treat such malformed certificates as valid matches during mutual TLS (mTLS) authentication. The consequence is a potential bypass of certificate validation, allowing an attacker with the ability to present a crafted certificate containing an embedded null byte to gain unauthorized access or impersonate a legitimate service. The vulnerability requires network access and privileges to present certificates but does not require user interaction. The CVSS v3.1 base score is 5.0, indicating a medium severity level, with high impact on confidentiality, limited impact on integrity, and no impact on availability. No public exploits or active exploitation in the wild have been reported as of the publication date. The vulnerability affects multiple Envoy versions commonly deployed in cloud-native environments, service meshes, and edge proxy setups, making it relevant for organizations relying on Envoy for secure service-to-service communication.

For European organizations, this vulnerability poses a risk primarily to the confidentiality and integrity of internal and external communications secured by Envoy’s mTLS. Attackers exploiting this flaw could impersonate legitimate services or intercept sensitive data by bypassing certificate validation, potentially leading to data breaches or unauthorized access to critical systems. Sectors such as finance, telecommunications, cloud service providers, and critical infrastructure operators that rely heavily on Envoy for secure service mesh or edge proxy deployments are particularly vulnerable. The impact is heightened in environments where strict identity verification is essential for compliance with GDPR and other data protection regulations. Although the vulnerability does not affect availability, the compromise of confidentiality and integrity could result in regulatory penalties, reputational damage, and operational disruptions. The lack of known exploits provides a window for proactive mitigation, but the medium severity score suggests that organizations should not delay remediation.

Organizations should immediately inventory their Envoy deployments to identify affected versions (<=1.33.12, 1.34.0 to 1.34.10, 1.35.0 to 1.35.6, and 1.36.0 to 1.36.2). Since no patch links are currently provided, monitor official Envoy releases and security advisories for updates addressing this vulnerability and apply patches promptly once available. In the interim, consider implementing stricter certificate validation policies, such as rejecting certificates with embedded null bytes or other malformed SAN entries at the ingress or certificate issuance level. Employ network segmentation and zero-trust principles to limit the exposure of Envoy instances to untrusted networks. Conduct thorough audits of mTLS configurations to ensure they adhere to best practices and do not rely solely on vulnerable matching logic. Additionally, enhance monitoring and logging around certificate validation failures and mTLS handshakes to detect anomalous activity that could indicate exploitation attempts. Engage with certificate authorities to enforce strict certificate issuance policies that prevent malformed certificates.