Integer Underflow Vulnerability in Eclipse ThreadX NetX Duo HTTP Server
CVE-2025-2259

5.3MEDIUM

Key Information:

Vendor: Eclipse Foundation
Status: Threadx
Vendor: CVE Published:; 6 April 2025

Summary

In the NetX HTTP server functionality of Eclipse ThreadX NetX Duo, versions prior to 6.4.3, an attacker can exploit an integer underflow vulnerability. This occurs when the attacker sends specially crafted packets that manipulate the Content-Length header, leading to a denial of service. A potential workaround to mitigate this issue is to disable HTTP PUT support. This vulnerability is an extension of an incomplete fix related to a previous security issue.

Affected Version(s)

ThreadX 0 < 6.4.2

References

https://github.com/eclipse-threadx/netxduo/commit/fb3195b...

patch

https://github.com/eclipse-threadx/netxduo/security/advis...

vendor-advisory

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Apr 6, 2025
Vulnerability Reserved
Mar 12, 2025

Credit

Kelly Patterson of Cisco Talos