Integer Underflow Vulnerability in Eclipse ThreadX NetX Duo HTTP Server Functionality
CVE-2025-0728

5.3MEDIUM

Key Information:

Vendor: Eclipse Foundation
Status: Threadx
Vendor: CVE Published:; 21 February 2025

Summary

In the HTTP server functionality of Eclipse ThreadX NetX Duo prior to version 6.4.2, an integer underflow vulnerability can be exploited by attackers. This occurs when a specially crafted packet is sent with a Content-Length that is smaller than the actual request size, allowing malicious users to write exceedingly large files. As a result, this vulnerability can lead to a denial of service condition for the affected applications. A possible workaround to mitigate this issue is to disable HTTP PUT support.

Affected Version(s)

ThreadX 0 < 6.4.1

References

https://github.com/eclipse-threadx/netxduo/commit/c78d650...

patch

https://github.com/eclipse-threadx/netxduo/security/advis...

vendor-advisory

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Feb 21, 2025
Vulnerability Reserved
Jan 27, 2025

Credit

Kelly Patterson of Cisco Talos