CVE-2025-66001: NeuVector OpenID Connect is vulnerable to man-in-the-middle (MITM)
(updated )
NeuVector supports login authentication through OpenID Connect. However, the TLS verification (which verifies the remote server’s authenticity and integrity) for OpenID Connect is not enforced by default. As a result this may expose the system to man-in-the-middle (MITM) attacks. Starting from version 5.4.0, NeuVector supports TLS verification for following connection types:
- Registry Connections
- Auth Server Connections (SAML, LDAP and OIDC)
- Webhook Connections
By default, TLS verification remains disabled, and its configuration is located under Settings > Configuration in the NeuVector UI.
In the patched version, the new NeuVector deployment enables TLS verification by default. For rolling upgrades, NeuVector does not automatically change this setting to prevent disruptions.
Note: When “TLS verification” is enabled, it affects all connections to:
- Registry servers
- Auth servers (SAML, LDAP and OIDC)
- Webhook servers
References
- bugzilla.suse.com/show_bug.cgi?id=CVE-2025-66001
- github.com/advisories/GHSA-4jj9-cgqc-x9h5
- github.com/neuvector/neuvector
- github.com/neuvector/neuvector/commit/955904b5762f296d209bf395a5fcc7a40a53c424
- github.com/neuvector/neuvector/security/advisories/GHSA-4jj9-cgqc-x9h5
- nvd.nist.gov/vuln/detail/CVE-2025-66001
Code Behaviors & Features
Detect and mitigate CVE-2025-66001 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →