Severity by source
AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
AV:N for network-delivered attack; AC:H for required upstream control or MITM position; PR:N because the attacker needs no privileges on the Envoy instance itself, only control of an external upstream endpoint.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a structural flaw was identified in DefaultCertValidator::verifySubjectAltName where the extracted DNS SAN string is cast to a C-style string using .c_str() before being passed to the Utility::dnsNameMatch() algorithm. If the attacker serves a certificate with a dNSName SAN containing an embedded NUL byte, the helper Utility::generalNameAsString captures the complete string including the NUL. However, when .c_str() evaluates it, implicit conversion to absl::string_view inside dnsNameMatch relies on strlen(), prematurely truncating the evaluation context. Envoy evaluates trucated string against the exact required config_san match and returns true, thereby successfully validating the string with the Nul byte for an upstream routing. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.
AnalysisAI
Certificate SAN validation in Envoy Proxy is bypassed when an attacker-controlled upstream serves a TLS certificate containing an embedded NUL byte in the dNSName Subject Alternative Name field. Envoy versions prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1 are affected, allowing an attacker who controls or can impersonate an upstream TLS endpoint to pass Envoy's configured SAN match check with a fraudulent certificate and intercept proxied traffic. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the attacker be in a network position to serve a TLS certificate to Envoy acting as a TLS client connecting to an upstream - either by directly controlling the upstream server or by executing a man-in-the-middle attack on the Envoy-to-upstream network segment. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-provided CVSS 3.1 vector AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N yields a score of 4.4, reflecting high attack complexity and a high privilege prerequisite. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who controls or can perform a man-in-the-middle attack against an upstream server that Envoy routes traffic to crafts a TLS certificate with a dNSName SAN of 'trusted.example.com\x00.attacker.com' and presents it during the TLS handshake. Envoy's verifySubjectAltName extracts the full SAN string but the subsequent .c_str() call causes strlen()-based truncation inside dnsNameMatch, reducing the evaluated string to 'trusted.example.com', which matches the operator-configured config_san. … |
| Remediation | The definitive fix is upgrading Envoy to a patched release: 1.35.11, 1.36.7, 1.37.3, or 1.38.1, per the vendor GitHub Security Advisory at https://github.com/envoyproxy/envoy/security/advisories/GHSA-f8x4-rw5x-f3r7. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Envoy is an open source edge and service proxy designed for cloud-native applications. Rated critical severity (CVSS 9.8
An issue was discovered in Envoy 1.12.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
An issue was discovered in Envoy 1.12.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
Envoy is an open source edge and service proxy designed for cloud-native applications. Rated critical severity (CVSS 9.1
Envoy is an open source edge and service proxy designed for cloud-native applications. Rated critical severity (CVSS 9.1
Envoy is an open source edge and service proxy designed for cloud-native applications. Rated critical severity (CVSS 9.1
Envoy through 1.15.0 only considers the first value when multiple header values are present for some HTTP headers. Rated
When parsing HTTP/1.x header values, Envoy 1.9.0 and before does not reject embedded zero characters (NUL, ASCII 0x0). R
Envoy's RBAC filter improperly concatenates duplicate HTTP headers into comma-separated strings instead of validating ea
Envoy is a cloud-native high-performance edge/middle/service proxy. Rated high severity (CVSS 7.5), this vulnerability i
Envoy is a cloud-native high-performance edge/middle/service proxy. Rated high severity (CVSS 7.5), this vulnerability i
Envoy is a cloud-native high-performance edge/middle/service proxy. Rated high severity (CVSS 7.5), this vulnerability i
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39818