CVE-2025-2258

Source
https://cve.org/CVERecord?id=CVE-2025-2258
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-2258.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-2258
Aliases
  • GHSA-chqp-8vf8-cj25
Published
2025-04-06T18:50:42.764Z
Modified
2026-07-15T01:49:05.206377014Z
Severity
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
Eclipse ThreadX NetX Duo HTTP server single PUT request integer underflow
Details

In NetX Duo component HTTP server functionality of Eclipse ThreadX NetX Duo before version 6.4.3, an attacker can cause an integer underflow and a subsequent denial of service by writing a very large file, by specially crafted packets with Content-Length smaller than the data request size. A possible workaround is to disable HTTP PUT support.

This issue follows an uncomplete fix in CVE-2025-0728.

Database specific
{
    "cwe_ids": [
        "CWE-191"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/2xxx/CVE-2025-2258.json",
    "cna_assigner": "eclipse"
}
References

Affected packages

Git / github.com/eclipse-threadx/netxduo

Affected ranges

Type
GIT
Repo
https://github.com/eclipse-threadx/netxduo
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:eclipse:threadx_netx_duo:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "6.4.3"
        }
    ],
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ]
}

Affected versions

v6.*
v6.0.1_rel
v6.0.2_rel
v6.0_rel
v6.1.10_rel
v6.1.11_rel
v6.1.12_rel
v6.1.2_rel
v6.1.3_rel
v6.1.4_rel
v6.1.5_rel
v6.1.6_rel
v6.1.7_rel
v6.1.8_rel
v6.1.9_rel
v6.1_rel
v6.2.0_rel
v6.2.1_rel
v6.3.0_rel
v6.4.0_rel
v6.4.1_rel
v6.4.2_rel

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-2258.json"