ISTIO-SECURITY-2025-003
CVEs reported by Envoy.
| Disclosure Details | |
|---|---|
| CVE(s) | CVE-2025-66220 CVE-2025-64527 CVE-2025-64763 |
| CVSS Impact Score | 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
| Affected Releases | 1.28.0 1.27.0 to 1.27.3 1.26.0 to 1.26.6 |
CVE
Envoy CVEs
- CVE-2025-66220: (CVSS score 8.1, High): TLS certificate matcher for
match_typed_subject_alt_namesmay incorrectly treat certificates withOTHERNAMESANs containing an embedded null byte as valid. - CVE-2025-64527: (CVSS score 6.5, Medium): Envoy crashes when JWT authentication is configured with the remote JWKS fetching.
- CVE-2025-64763: (CVSS score 5.3, Medium): Potential request smuggling from early data after the CONNECT upgrade
Am I Impacted?
If you are using Istio to accept WebSocket traffic, you are potentially vulnerable to request smuggling from early data after the CONNECT upgrade. You may also be vulnerable if you are using custom certificates with OTHERNAME SANs or custom JWT authentication with remote JWKS fetching using EnvoyFilter.