CVE-2025-69209
- Source
- https://cve.org/CVERecord?id=CVE-2025-69209
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-69209.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-69209
- Aliases
-
- GHSA-pvx3-fm7w-6hjm
- Downstream
- Published
- 2026-01-21T20:00:41.026Z
- Modified
- 2026-03-14T12:46:12.801397Z
- Severity
-
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- ArduinoCore-avr has Stack-Based Buffer Overflow in WString Float/Double Constructors
- Details
-
ArduinoCore-avr contains the source code and configuration files of the Arduino AVR Boards platform. A vulnerability in versions prior to 1.8.7 allows an attacker to trigger a stack-based buffer overflow when converting floating-point values to strings with high precision. By passing very large
decimalPlacesvalues to the affected String constructors or concat methods, thedtostrffunction writes beyond fixed-size stack buffers, causing memory corruption and denial of service. Under specific conditions, this could enable arbitrary code execution on AVR-based Arduino boards.Patches
The Fix is included starting from the
1.8.7release available from the following link ArduinoCore-avr v1.8.7The Fixing Commit is available at the following link 1a6a417f89c8901dad646efce74ae9d3ddebfd59
References
Credits
- Maxime Rossi Bellom and Ramtine Tofighi Shirazi from SecMate (https://secmate.dev/)
- Database specific
{ "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/69xxx/CVE-2025-69209.json", "cwe_ids": [ "CWE-120" ] }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/69xxx/CVE-2025-69209.json
- https://github.com/arduino/ArduinoCore-avr/commit/82a8ad2fb33911d8927c7af22e0472b94325d1a7
- https://github.com/arduino/ArduinoCore-avr/pull/613
- https://github.com/arduino/ArduinoCore-avr/releases/tag/1.8.7
- https://github.com/arduino/ArduinoCore-avr/security/advisories/GHSA-pvx3-fm7w-6hjm
- https://nvd.nist.gov/vuln/detail/CVE-2025-69209
- https://support.arduino.cc/hc/en-us/articles/24985906702748-ASEC-26-001-ArduinoCore-AVR-v1-8-7-Resolves-Stack-Based-Buffer-Overflow-Vulnerability
Affected packages
Git / github.com/arduino/arduinocore-avr
Affected ranges
- Type
- GIT
- Repo
- https://github.com/arduino/arduinocore-avr
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
- Type
- GIT
- Repo
- https://github.com/arduino/arduinocore-avr
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed