### Summary Envoy’s mTLS certificate matcher for `match_typed_subject_alt_names` may incorrectly treat certificates containing an embedded null byte (\0) inside an `OTHERNAME` SAN value as valid matches. ### Details This occurs when the SAN is encoded as a `BMPSTRING` or `UNIVERSALSTRING`, and its UTF-8 conversion result is truncated at the first null byte during string assignment. As a result, `"victim\0evil"` may match an exact: `"victim"` rule and be accepted by Envoy. ### PoC Create a CA and a server certificate signed by that CA. Create two client certificates signed by the same CA: clie…
GHSA-rwjg-c3h2-f57p: Envoy's TLS certificate matcher for `match_typed_subject_alt_names` may incorrectly treat certificates containing an embedded null byte
Envoy's mTLS certificate matcher may incorrectly validate certificates with embedded null bytes, leading to potential security bypasses.