High severity8.8GHSA Advisory· Published Jan 8, 2026· Updated Apr 15, 2026
CVE-2025-66001
CVE-2025-66001
Description
NeuVector supports login authentication through OpenID Connect. However, the TLS verification (which verifies the remote server's authenticity and integrity) for OpenID Connect is not enforced by default. As a result this may expose the system to man-in-the-middle (MITM) attacks.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/neuvector/neuvectorGo | >= 5.3.0, < 5.4.8 | 5.4.8 |
Affected products
1Patches
1955904b5762fNVSHAS-10142: Make 'enforce TLS verification' enabled by default for new NV deployment (6)NVSHAS-10142: Make 'enforce TLS verification' enabled by default for new NV deployment (6)
1 file changed · +10 −0
controller/kv/create.go+10 −0 modified@@ -427,10 +427,20 @@ func createAdmCtrlRules() { } } func createDefaultServiceMeshMonitor() { + modified := false acc := access.NewReaderAccessControl() cfg, rev := clusHelper.GetSystemConfigRev(acc) if !cfg.TapProxymesh { cfg.TapProxymesh = true + modified = true + } + + // enable TLS verification for communications to LDAP/OIDC/webhook/registry servers by default for new deployment + if !cfg.EnableTLSVerification { + cfg.EnableTLSVerification = true + modified = true + } + if modified { _ = clusHelper.PutSystemConfigRev(cfg, rev) } }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-4jj9-cgqc-x9h5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-66001ghsaADVISORY
- bugzilla.suse.com/show_bug.cginvdWEB
- github.com/neuvector/neuvector/commit/955904b5762f296d209bf395a5fcc7a40a53c424ghsaWEB
- github.com/neuvector/neuvector/security/advisories/GHSA-4jj9-cgqc-x9h5nvdWEB
News mentions
0No linked articles in our index yet.