Integer Underflow Vulnerability in Eclipse ThreadX NetX Duo HTTP Server
CVE-2025-2258

5.3MEDIUM

Key Information:

Vendor: Eclipse Foundation
Status: Threadx
Vendor: CVE Published:; 6 April 2025

Summary

The Eclipse ThreadX NetX Duo component's HTTP server is susceptible to an integer underflow vulnerability. Attackers can exploit this flaw by sending specially crafted packets with a Content-Length that is smaller than the actual data request size, which can lead to a denial of service condition. This issue persists despite a previous fix attempt in CVE-2025-0728. To mitigate the risk, administrators may consider disabling HTTP PUT functionality as a temporary workaround.

Affected Version(s)

ThreadX 0 < 6.4.2

References

https://github.com/eclipse-threadx/netxduo/commit/6c8e9d1...

patch

https://github.com/eclipse-threadx/netxduo/security/advis...

vendor-advisory

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Apr 6, 2025
Vulnerability Reserved
Mar 12, 2025

Credit

Kelly Patterson of Cisco Talos