Integer Underflow Vulnerability in Eclipse ThreadX NetX Duo HTTP Server
CVE-2025-0727

5.3MEDIUM

Key Information:

Vendor: Eclipse Foundation
Status: Threadx
Vendor: CVE Published:; 21 February 2025

Summary

The NetX HTTP server in Eclipse ThreadX NetX Duo versions prior to 6.4.2 is vulnerable to an integer underflow. This flaw allows an attacker to create denial of service conditions by sending specially crafted packets with a Content-Length header smaller than the actual data size. This can occur when attempting to write a large file, leading to potential disruptions in service. It is recommended to disable HTTP PUT support as a workaround until a patch is applied.

Affected Version(s)

ThreadX 0 < 6.4.1

References

https://github.com/eclipse-threadx/netxduo/commit/c78d650...

patch

https://github.com/eclipse-threadx/netxduo/security/advis...

vendor-advisory

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Feb 21, 2025
Vulnerability Reserved
Jan 27, 2025

Credit

Kelly Patterson of Cisco Talos