CVE-2025-66220 is a vulnerability identified in the Envoy proxy, a widely used high-performance edge, middle, and service proxy. The flaw exists in the mTLS certificate matcher component, specifically in the handling of match_typed_subject_alt_names. Envoy versions 1.33.12 and earlier, as well as 1.34.10, 1.35.6, and 1.36.2, improperly process certificates containing embedded null bytes (\0) within the OTHERNAME Subject Alternative Name (SAN) field. Due to improper null termination (CWE-170), the certificate matcher may incorrectly validate such certificates as legitimate matches. This can allow an attacker to present a crafted certificate with an embedded null byte that bypasses intended certificate validation checks, potentially enabling unauthorized access or man-in-the-middle attacks in mTLS-secured communications. The vulnerability requires network access and high privileges to exploit, but no user interaction is necessary. The CVSS v3.1 base score of 5.0 indicates a medium severity level, with high impact on confidentiality, limited impact on integrity, and no impact on availability. No public exploits are currently known, and no patches are linked yet, indicating that remediation may require vendor updates or configuration workarounds. This vulnerability is significant for environments relying on Envoy for secure service-to-service communication, especially in microservices architectures and cloud-native deployments.

For European organizations, the vulnerability poses a risk to the confidentiality and integrity of internal and external communications secured by Envoy's mTLS. Attackers who can craft certificates with embedded null bytes may bypass certificate validation, potentially impersonating legitimate services or intercepting sensitive data. This could lead to unauthorized data access, lateral movement within networks, and undermining trust in service mesh security. Organizations operating critical infrastructure, financial services, or cloud platforms that use Envoy extensively may face increased risk of targeted attacks exploiting this flaw. The medium severity score reflects that exploitation requires significant privileges and network access, limiting broad exploitation but still posing a serious threat in high-value environments. The absence of known exploits suggests a window for proactive mitigation. Failure to address this vulnerability could result in regulatory compliance issues under GDPR if personal data confidentiality is compromised.

European organizations should immediately inventory their Envoy deployments to identify affected versions (<=1.33.12, 1.34.0 to 1.34.10, 1.35.0 to 1.35.6, and 1.36.0 to 1.36.2). Until patches are released, consider disabling or restricting the use of match_typed_subject_alt_names in mTLS configurations to avoid reliance on vulnerable certificate matching logic. Implement strict certificate validation policies, including rejecting certificates with embedded null bytes or unusual SAN fields through custom validation hooks or external certificate validation tools. Monitor network traffic for anomalous TLS handshake patterns indicative of malformed certificates. Engage with Envoy proxy maintainers for timely patch releases and apply updates promptly once available. Additionally, conduct penetration testing focused on mTLS certificate validation to detect potential exploitation attempts. Document and audit all certificate issuance and usage to ensure no unauthorized certificates are accepted. Finally, integrate these checks into continuous security monitoring and incident response plans to rapidly detect and respond to exploitation attempts.