CVE-2025-0726
Published: 21 February 2025
Description
In NetX HTTP server functionality of Eclipse ThreadX NetX Duo before version 6.4.2, an attacker can cause a denial of service by specially crafted packets. The core issue is missing closing of a file in case of an error condition, resulting in the 404 error for each further file request. Users can work-around the issue by disabling the PUT request support.
Security Summary
CVE-2025-0726 affects the NetX HTTP server functionality in Eclipse ThreadX NetX Duo versions prior to 6.4.2. The vulnerability stems from a failure to close a file handle under certain error conditions, classified under CWE-459 (Incomplete Cleanup). This issue enables a denial-of-service condition, as evidenced by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high availability impact with no requirements for privileges or user interaction.
An unauthenticated attacker with network access can exploit this vulnerability by sending specially crafted packets, likely targeting PUT requests, to trigger the error condition. Once exploited, the server will return a 404 error for all subsequent file requests, effectively rendering the HTTP service unavailable and causing a denial of service.
Mitigation is available through upgrading to Eclipse ThreadX NetX Duo version 6.4.2 or later, as detailed in the project's GitHub security advisory (GHSA-pwf8-5q9w-m763) and the associated fix commit (c78d650be7377aae1a8704bc0ce5cc6f9f189014). As a workaround, users can disable PUT request support in the NetX HTTP server configuration.
Details
- CWE(s)