CVE-2025-2260
- Source
- https://cve.org/CVERecord?id=CVE-2025-2260
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-2260.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-2260
- Aliases
-
- GHSA-f42f-6fvv-xqx3
- Published
- 2025-04-06T19:15:41.153Z
- Modified
- 2025-11-16T15:10:35.934674Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In NetX HTTP server functionality of Eclipse ThreadX NetX Duo before version 6.4.3, an attacker can cause a denial of service by specially crafted packets. The core issue is missing closing of a file in case of an error condition, resulting in the 404 error for each further file request. Users can work-around the issue by disabling the PUT request support.
This issue follows an incomplete fix of CVE-2025-0726.
- References
Affected packages
Git / github.com/eclipse-threadx/netxduo
Affected ranges
- Type
- GIT
- Repo
- https://github.com/eclipse-threadx/netxduo
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v6.*
v6.0.1_rel
v6.0.2_rel
v6.0_rel
v6.1.10_rel
v6.1.11_rel
v6.1.12_rel
v6.1.2_rel
v6.1.3_rel
v6.1.4_rel
v6.1.5_rel
v6.1.6_rel
v6.1.7_rel
v6.1.8_rel
v6.1.9_rel
v6.1_rel
v6.2.0_rel
v6.2.1_rel
v6.3.0_rel
v6.4.0_rel
v6.4.1_rel
v6.4.2_rel
Database specific
source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-2260.json"
vanir_signatures
[
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"277751142472199474358022703340707296834",
"150728587720780572837764282756655461898",
"2493513270589214994692965404142283401",
"149944078128464571503144164349435848784",
"9480254114557371569173785008958828277",
"249665894544462716264521316397597622394",
"88752894790144393611742639225726903253",
"249495732155761141154013197068344921075",
"300990589757844749006984364088624995887",
"223256556098175598062363081371929795370",
"297611080380827105228502054256133566876",
"205562212748034019221713538498176140153",
"239085688562061588350794816370086020433",
"90884678305006212241144179313155200615",
"131089659960979682373083671160994556188",
"38921130429186939812099356132253397329",
"58273350390497196407928964291888891257",
"141283125332130435258120106353427060000",
"239085688562061588350794816370086020433",
"90884678305006212241144179313155200615",
"105772487419223954267252748935866507874",
"109047182208985399996949478377420324956",
"293658911788426089133469706167531430248",
"98532883383408285969918331129554745859",
"216566295184877469182126944709658162073",
"330100262765588038950162011833920249797",
"331076775351182558191090865578549810760",
"247493205695270788961186028921491496478",
"146500353185954528952189093825516187909",
"117362719515166800038971862402170969310",
"125711602870911073735612948508971924151",
"253162322356976022942318649891812833486",
"319363163450920097377721701114308483520",
"316860079119950316552616856263985735829",
"60931672941449507580258584322657517515",
"222141090887687140819470305027708409774",
"75320840557804941788911430617290046692",
"130028851409265190397301213079088244289",
"265289631995900344242621851036935034853",
"253087277813562851252060119579153763383",
"310146477023209022024037982586879240104"
]
},
"source": "https://github.com/eclipse-threadx/netxduo/commit/fb3195bbb6d0d6fe71a7a19585c008623c217f9e",
"target": {
"file": "addons/http/nxd_http_server.c"
},
"signature_type": "Line",
"deprecated": false,
"id": "CVE-2025-2260-850f3ca6",
"signature_version": "v1"
},
{
"digest": {
"length": 7222.0,
"function_hash": "302652052558223009701171974826339947680"
},
"source": "https://github.com/eclipse-threadx/netxduo/commit/fb3195bbb6d0d6fe71a7a19585c008623c217f9e",
"target": {
"file": "addons/http/nxd_http_server.c",
"function": "_nx_http_server_put_process"
},
"signature_type": "Function",
"deprecated": false,
"id": "CVE-2025-2260-b9b1c343",
"signature_version": "v1"
}
]