CVE-2025-2259

EUVD-2025-10016

06.04.2025, 19:15

In NetX HTTP server functionality of Eclipse ThreadX NetX Duo before 
version 6.4.3, an attacker can cause an integer underflow and a 
subsequent denial of service by writing a very large file, by specially 
crafted packets with Content-Length in one packet smaller than the data 
request size of the other packet. A possible workaround is to disable 
HTTP PUT support.




This issue follows an incomplete fix of CVE-2025-0727

Wrap or Wraparound

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
eclipse	CNA	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 31%

Affected Products (NVD)

Vendor	Product	Version
eclipse	threadx_netx_duo	𝑥 < 6.4.3

𝑥

= Vulnerable software versions

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
eclipse	threadx	𝑥 < 6.4.2	CNA

Common Weakness Enumeration

CWE-191 - Integer Underflow (Wrap or Wraparound)
The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.

References

https://github.com/eclipse-threadx/netxduo/commit/fb3195bbb6d0d6fe71a7a19585c008623c217f9e

https://github.com/eclipse-threadx/netxduo/security/advisories/GHSA-chhp-gmxc-46rq

https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-2104