{"id":"CVE-2025-2259","details":"In NetX HTTP server functionality of Eclipse ThreadX NetX Duo before \nversion 6.4.3, an attacker can cause an integer underflow and a \nsubsequent denial of service by writing a very large file, by specially \ncrafted packets with Content-Length in one packet smaller than the data \nrequest size of the other packet. A possible workaround is to disable \nHTTP PUT support.\n\n\n\n\nThis issue follows an incomplete fix of CVE-2025-0727","aliases":["GHSA-chhp-gmxc-46rq"],"modified":"2026-04-11T00:58:44.769478Z","published":"2025-04-06T19:15:41.020Z","references":[{"type":"ADVISORY","url":"https://github.com/eclipse-threadx/netxduo/security/advisories/GHSA-chhp-gmxc-46rq"},{"type":"ADVISORY","url":"https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-2104"},{"type":"FIX","url":"https://github.com/eclipse-threadx/netxduo/commit/fb3195bbb6d0d6fe71a7a19585c008623c217f9e"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/eclipse-threadx/netxduo","events":[{"introduced":"0"},{"fixed":"cd34ed2ab2285b17ff3336ab566b9322d08d06ba"},{"fixed":"fb3195bbb6d0d6fe71a7a19585c008623c217f9e"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"6.4.3"}]}}],"versions":["v6.0.1_rel","v6.0.2_rel","v6.0_rel","v6.1.10_rel","v6.1.11_rel","v6.1.12_rel","v6.1.2_rel","v6.1.3_rel","v6.1.4_rel","v6.1.5_rel","v6.1.6_rel","v6.1.7_rel","v6.1.8_rel","v6.1.9_rel","v6.1_rel","v6.2.0_rel","v6.2.1_rel","v6.3.0_rel","v6.4.0_rel","v6.4.1_rel","v6.4.2_rel"],"database_specific":{"vanir_signatures_modified":"2026-04-11T00:58:44Z","source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-2259.json","vanir_signatures":[{"id":"CVE-2025-2259-850f3ca6","target":{"file":"addons/http/nxd_http_server.c"},"source":"https://github.com/eclipse-threadx/netxduo/commit/fb3195bbb6d0d6fe71a7a19585c008623c217f9e","signature_version":"v1","deprecated":false,"digest":{"line_hashes":["277751142472199474358022703340707296834","150728587720780572837764282756655461898","2493513270589214994692965404142283401","149944078128464571503144164349435848784","9480254114557371569173785008958828277","249665894544462716264521316397597622394","88752894790144393611742639225726903253","249495732155761141154013197068344921075","300990589757844749006984364088624995887","223256556098175598062363081371929795370","297611080380827105228502054256133566876","205562212748034019221713538498176140153","239085688562061588350794816370086020433","90884678305006212241144179313155200615","131089659960979682373083671160994556188","38921130429186939812099356132253397329","58273350390497196407928964291888891257","141283125332130435258120106353427060000","239085688562061588350794816370086020433","90884678305006212241144179313155200615","105772487419223954267252748935866507874","109047182208985399996949478377420324956","293658911788426089133469706167531430248","98532883383408285969918331129554745859","216566295184877469182126944709658162073","330100262765588038950162011833920249797","331076775351182558191090865578549810760","247493205695270788961186028921491496478","146500353185954528952189093825516187909","117362719515166800038971862402170969310","125711602870911073735612948508971924151","253162322356976022942318649891812833486","319363163450920097377721701114308483520","316860079119950316552616856263985735829","60931672941449507580258584322657517515","222141090887687140819470305027708409774","75320840557804941788911430617290046692","130028851409265190397301213079088244289","265289631995900344242621851036935034853","253087277813562851252060119579153763383","310146477023209022024037982586879240104"],"threshold":0.9},"signature_type":"Line"},{"id":"CVE-2025-2259-b9b1c343","target":{"file":"addons/http/nxd_http_server.c","function":"_nx_http_server_put_process"},"source":"https://github.com/eclipse-threadx/netxduo/commit/fb3195bbb6d0d6fe71a7a19585c008623c217f9e","signature_version":"v1","deprecated":false,"digest":{"length":7222,"function_hash":"302652052558223009701171974826339947680"},"signature_type":"Function"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}