GHSA-rwjg-c3h2-f57p

Source

https://github.com/advisories/GHSA-rwjg-c3h2-f57p

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-rwjg-c3h2-f57p/GHSA-rwjg-c3h2-f57p.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-rwjg-c3h2-f57p

Aliases

Published

2025-12-05T18:14:02Z

Modified

2025-12-06T12:26:01.868134Z

Severity

5.0 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N CVSS Calculator

Summary

Envoy's TLS certificate matcher for `match_typed_subject_alt_names` may incorrectly treat certificates containing an embedded null byte

Details

Summary

Envoy’s mTLS certificate matcher for match_typed_subject_alt_names may incorrectly treat certificates containing an embedded null byte (\0) inside an OTHERNAME SAN value as valid matches.

Details

This occurs when the SAN is encoded as a BMPSTRING or UNIVERSALSTRING, and its UTF-8 conversion result is truncated at the first null byte during string assignment. As a result, "victim\0evil" may match an exact: "victim" rule and be accepted by Envoy.

PoC

Create a CA and a server certificate signed by that CA. Create two client certificates signed by the same CA: clientevil with OTHERNAME BMPSTRING = "evil" clientnull with OTHERNAME BMPSTRING = "victim\0evil" Configure Envoy with requireclientcertificate: true and a matchtypedsubjectaltnames entry for the OTHERNAME OID with matcher.exact: "victim". Connect without a client cert → connection rejected. Connect with clientevil → connection rejected. Connect with clientnull → connection accepted (but shouldn't!).

Impact

An attacker who can obtain a trusted client certificate with a null byte embedded in an OTHERNAME SAN can exploit this vulnerability. The practical impact is unauthorized impersonation of the matched identity, enabling access to services or APIs protected by that exact OTHERNAME check.

Credit

markevich.nikita1@gmail.com

Database specific

{
    "github_reviewed": true,
    "nvd_published_at": "2025-12-03T19:15:58Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-170"
    ],
    "github_reviewed_at": "2025-12-05T18:14:02Z"
}

References

Affected packages

Go

github.com/envoyproxy/envoy

Package

Name: github.com/envoyproxy/envoy; View open source insights on deps.dev
Purl: pkg:golang/github.com/envoyproxy/envoy

Affected ranges

Type: SEMVER
Events: Introduced

1.36.0

Fixed

1.36.3

Database specific

last_known_affected_version_range

"<= 1.36.2"

github.com/envoyproxy/envoy

Package

Name: github.com/envoyproxy/envoy; View open source insights on deps.dev
Purl: pkg:golang/github.com/envoyproxy/envoy

Affected ranges

Type: SEMVER
Events: Introduced

1.35.0

Fixed

1.35.7

Database specific

last_known_affected_version_range

"<= 1.35.6"

github.com/envoyproxy/envoy

Package

Name: github.com/envoyproxy/envoy; View open source insights on deps.dev
Purl: pkg:golang/github.com/envoyproxy/envoy

Affected ranges

Type: SEMVER
Events: Introduced

1.34.0

Fixed

1.34.11

Database specific

last_known_affected_version_range

"<= 1.34.10"

github.com/envoyproxy/envoy

Package

Name: github.com/envoyproxy/envoy; View open source insights on deps.dev
Purl: pkg:golang/github.com/envoyproxy/envoy

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.33.13

Database specific

last_known_affected_version_range

"<= 1.33.12"