8.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-66001

CVE-2025-66001: NeuVector OpenID Connect is vulnerable to man-in-the-middle (MITM)

NeuVector supports login authentication through OpenID Connect. However, the TLS verification (which verifies the remote server's authenticity and integrity) for OpenID Connect is not enforced by default. As a result this may expose the system to man-in-the-middle (MITM) attacks.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-66001

CVE-2025-66001:

8.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/neuvector/neuvector	go	>= 5.3.0, < 5.4.8	5.4.8

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in NeuVector's default configuration, which did not enforce TLS verification for OpenID Connect, making it susceptible to Man-in-the-Middle (MITM) attacks. The analysis of the provided patch 955904b5762f296d209bf395a5fcc7a40a53c424 reveals that the function createDefaultServiceMeshMonitor in controller/kv/create.go is responsible for setting the initial system configuration. The patch modifies this function to set the EnableTLSVerification flag to true by default for new deployments. This change ensures that TLS verification is enforced for connections to authentication servers (including OIDC), registries, and webhooks, thereby closing the security gap. Although this function does not directly handle malicious input, it is the root cause of the vulnerability as it established the insecure default setting.

Vulnerable functions

createDefaultServiceMeshMonitor

controller/kv/create.go

This function is responsible for creating the default system configuration. The vulnerability stemmed from TLS verification being disabled by default. The patch modifies this function to enable `EnableTLSVerification` by default for new deployments, thus mitigating the Man-in-the-Middle (MITM) vulnerability for OIDC, LDAP, webhook, and registry connections.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-66001: NeuVector OpenID Connect is vulnerable to man-in-the-middle (MITM)

CVE-2025-66001:

8.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

CVE-2025-66001: NeuVector OpenID Connect is vulnerable to man-in-the-middle (MITM)

8.8

8.8

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI