CVE-2025-0728

High

Published: 21 February 2025

Published

21 February 2025

Modified

31 July 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0026 49.5th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

In NetX HTTP server functionality of Eclipse ThreadX NetX Duo before version 6.4.2, an attacker can cause an integer underflow and a subsequent denial of service by writing a very large file, by specially crafted packets with Content-Length smaller than the data request size. A possible workaround is to disable HTTP PUT support.

Security Summary

CVE-2025-0728 is an integer underflow vulnerability (CWE-191) in the HTTP server functionality of Eclipse ThreadX NetX Duo versions before 6.4.2. The flaw occurs when processing specially crafted packets for writing a very large file, where the Content-Length header specifies a value smaller than the actual data size sent, triggering the underflow.

An unauthenticated attacker with network access can exploit this vulnerability remotely with low complexity and no user interaction required, as reflected in its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Successful exploitation causes a denial of service, potentially crashing the affected HTTP server or rendering it unavailable.

The Eclipse ThreadX NetX Duo security advisory (GHSA-hqp7-4q26-6wqf) and associated GitHub commit (c78d650be7377aae1a8704bc0ce5cc6f9f189014) detail the patch in version 6.4.2. A recommended workaround is to disable HTTP PUT support to prevent exploitation.

Details

CWE(s): CWE-191

Affected Products

eclipse

threadx netx duo

≤ 6.4.2

References

https://github.com/eclipse-threadx/netxduo/commit/c78d650be7377aae1a8704bc0ce5cc6f9f189014
Patch · emo@eclipse.org
https://github.com/eclipse-threadx/netxduo/security/advisories/GHSA-hqp7-4q26-6wqf
Vendor Advisory · emo@eclipse.org