CVE-2025-2260

Source
https://cve.org/CVERecord?id=CVE-2025-2260
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-2260.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-2260
Aliases
  • GHSA-f42f-6fvv-xqx3
Published
2025-04-06T18:56:34.730Z
Modified
2026-07-15T02:14:02.800327744Z
Severity
  • 7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Eclipse ThreadX NetX Duo HTTP component server denial of service
Details

In NetX HTTP server functionality of Eclipse ThreadX NetX Duo before version 6.4.3, an attacker can cause a denial of service by specially crafted packets. The core issue is missing closing of a file in case of an error condition, resulting in the 404 error for each further file request. Users can work-around the issue by disabling the PUT request support.

This issue follows an incomplete fix of CVE-2025-0726.

Database specific
{
    "cwe_ids": [
        "CWE-459"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/2xxx/CVE-2025-2260.json",
    "cna_assigner": "eclipse"
}
References

Affected packages

Git / github.com/eclipse-threadx/netxduo

Affected ranges

Type
GIT
Repo
https://github.com/eclipse-threadx/netxduo
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:eclipse:threadx_netx_duo:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "6.4.3"
        }
    ],
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ]
}

Affected versions

v6.*
v6.0.1_rel
v6.0.2_rel
v6.0_rel
v6.1.10_rel
v6.1.11_rel
v6.1.12_rel
v6.1.2_rel
v6.1.3_rel
v6.1.4_rel
v6.1.5_rel
v6.1.6_rel
v6.1.7_rel
v6.1.8_rel
v6.1.9_rel
v6.1_rel
v6.2.0_rel
v6.2.1_rel
v6.3.0_rel
v6.4.0_rel
v6.4.1_rel
v6.4.2_rel

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-2260.json"