ContextQMD
Back to Istio Io

ISTIO-SECURITY-2025-003

content/en/news/security/istio-security-2025-003/index.md

latest985 B
Original Source

{{< security_bulletin >}}

CVE

Envoy CVEs

  • CVE-2025-66220: (CVSS score 8.1, High): TLS certificate matcher for match_typed_subject_alt_names may incorrectly treat certificates with OTHERNAME SANs containing an embedded null byte as valid.
  • CVE-2025-64527: (CVSS score 6.5, Medium): Envoy crashes when JWT authentication is configured with the remote JWKS fetching.
  • CVE-2025-64763: (CVSS score 5.3, Medium): Potential request smuggling from early data after the CONNECT upgrade

Am I Impacted?

If you are using Istio to accept WebSocket traffic, you are potentially vulnerable to request smuggling from early data after the CONNECT upgrade. You may also be vulnerable if you are using custom certificates with OTHERNAME SANs or custom JWT authentication with remote JWKS fetching using EnvoyFilter.