Summary
An integer underflow vulnerability exists in the HTTP server PUT request functionality of Eclipse ThreadX NetX Duo git commit 6c8e9d1. A specially crafted series of network requests can lead to denial of service. An attacker can send a sequence of malicious packets to trigger this vulnerability.
Users interested in this issue should likely also apply the fix of CVE-2025-2259 (GHSA-chhp-gmxc-46rq)
Confirmed Vulnerable Versions
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Eclipse ThreadX NetX Duo git commit 6c8e9d1
Product URLs
Eclipse ThreadX NetX Duo - https://github.com/eclipse-threadx/netxduo
Details
Eclipse ThreadX NetX Duo is an industrial-grade TCP/IP network stack tailored specifically for deeply embedded real-time and IoT applications. It offers a dual network stack supporting both IPv4 and IPv6
When processing an HTTP PUT request it is possible to cause an integer underflow condition which could result in a very large file to be written to the file system. This could cause a denial of service by consuming all of the file system resources. This vulnerability affects both HTTP server implementations within NetX Duo.
Upon receipt of an HTTP PUT request, the function _nx_web_http_server_put_process is invoked. The content length is extracted from the request at [1] and stored in the variable length. Because the value of length is > 0 execution will eventually enter the loop at [2]. For illustration purposes, let's say that in the HTTP request (the first packet sent) the Content-Length in the HTTP header is 32, but no data is included in this packet. A second packet will be received at [3]. Let's also say that the second packet which contains only data has a length of 33 bytes. At [5] and integer underflow will occur. Since the Content-Length value is stored in the length variable and is 32 in our example, the length of the second packet is calculated at [5] with (UINT)(next_packet_ptr -> nx_packet_append_ptr - next_packet_ptr -> nx_packet_prepend_ptr) and is 33 in our example. After the calculation at [5] is completed, length will be -1. Since the variable length is unsigned, this will be interpreted as the very large number 0xffffffff at [2]. This large number has causes the code to continue executing the loop at [2] when it otherwise shouldn't continue processing. This loop will continue to execute until 0xffffffff bytes are received and also written to the requested file at [4]. To summarize, an attacker could send a Content-Length value in the first packet that is smaller than the length of the data sent in the second packet, and continue sending more data resulting in writing an excessively large file being written. This could potentially consume all of the file system resources.
File: netxduo\addons\web\nx_web_http_server.c
4213: VOID _nx_web_http_server_put_process(NX_WEB_HTTP_SERVER *server_ptr, NX_PACKET *packet_ptr)
4214: {
...
4217: ULONG length = 0;
...
4254: /* Calculate the content length from the request. */
4255: status = _nx_web_http_server_content_length_get(packet_ptr, &length); /*[1]*/
...
4561: /* If necessary, receive more packets from the TCP socket to complete the write request. */
4562: while (length || server_ptr -> nx_web_http_server_request_chunked) /*[2]*/
4563: {
...
4565: /* Wait for a request. */
4566: status = _nx_web_http_server_packet_get(server_ptr, &data_packet_ptr); /*[3]*/
...
4597: /* Write the content of this packet. */
4598: status = fx_file_write(&(server_ptr -> nx_web_http_server_file), next_packet_ptr -> nx_packet_prepend_ptr,
4599: (ULONG)(next_packet_ptr -> nx_packet_append_ptr - next_packet_ptr -> nx_packet_prepend_ptr)); /*[4]*/
...
4618: /* Update the length. */
4619: length = length - (UINT)(next_packet_ptr -> nx_packet_append_ptr - next_packet_ptr -> nx_packet_prepend_ptr); /*[5]*/
NetX Duo Web Component HTTP Server
This vulnerability affects the NetX Duo Web Component HTTP Server implementation which can be found in netxduo\addons\web\nx_web_http_server.c
Mitigation
Developers can disable the processing of PUT requests by ending the processing of a PUT request in an application callback request notify function.
NetX Duo Component HTTP Server
This vulnerability affects the NetX Duo Component HTTP Server implementation which can be found in netxduo\addons\http\nxd_http_server.c
Mitigation
Developers can disable the processing of PUT requests by ending the processing of a PUT request in an application callback request notify function.
Credit
Discovered by Kelly Patterson of Cisco Talos.
https://talosintelligence.com/vulnerability_reports/
Timeline
2025-01-23 - Public Release
2025-04-06 - Release of GHSA-chhp-gmxc-46rq (CVE-2025-2259) that is a more complete fix of this issue
Summary
An integer underflow vulnerability exists in the HTTP server PUT request functionality of Eclipse ThreadX NetX Duo git commit 6c8e9d1. A specially crafted series of network requests can lead to denial of service. An attacker can send a sequence of malicious packets to trigger this vulnerability.
Users interested in this issue should likely also apply the fix of CVE-2025-2259 (GHSA-chhp-gmxc-46rq)
Confirmed Vulnerable Versions
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Eclipse ThreadX NetX Duo git commit 6c8e9d1
Product URLs
Eclipse ThreadX NetX Duo - https://github.com/eclipse-threadx/netxduo
Details
Eclipse ThreadX NetX Duo is an industrial-grade TCP/IP network stack tailored specifically for deeply embedded real-time and IoT applications. It offers a dual network stack supporting both IPv4 and IPv6
When processing an HTTP PUT request it is possible to cause an integer underflow condition which could result in a very large file to be written to the file system. This could cause a denial of service by consuming all of the file system resources. This vulnerability affects both HTTP server implementations within NetX Duo.
Upon receipt of an HTTP PUT request, the function
_nx_web_http_server_put_processis invoked. The content length is extracted from the request at[1]and stored in the variablelength. Because the value oflengthis > 0 execution will eventually enter the loop at[2]. For illustration purposes, let's say that in the HTTP request (the first packet sent) theContent-Lengthin the HTTP header is 32, but no data is included in this packet. A second packet will be received at[3]. Let's also say that the second packet which contains only data has a length of 33 bytes. At[5]and integer underflow will occur. Since theContent-Lengthvalue is stored in thelengthvariable and is 32 in our example, the length of the second packet is calculated at[5]with(UINT)(next_packet_ptr -> nx_packet_append_ptr - next_packet_ptr -> nx_packet_prepend_ptr)and is 33 in our example. After the calculation at[5]is completed,lengthwill be -1. Since the variablelengthis unsigned, this will be interpreted as the very large number 0xffffffff at[2]. This large number has causes the code to continue executing the loop at[2]when it otherwise shouldn't continue processing. This loop will continue to execute until 0xffffffff bytes are received and also written to the requested file at[4]. To summarize, an attacker could send aContent-Lengthvalue in the first packet that is smaller than the length of the data sent in the second packet, and continue sending more data resulting in writing an excessively large file being written. This could potentially consume all of the file system resources.NetX Duo Web Component HTTP Server
This vulnerability affects the NetX Duo Web Component HTTP Server implementation which can be found in netxduo\addons\web\nx_web_http_server.c
Mitigation
Developers can disable the processing of PUT requests by ending the processing of a PUT request in an application callback request notify function.
NetX Duo Component HTTP Server
This vulnerability affects the NetX Duo Component HTTP Server implementation which can be found in netxduo\addons\http\nxd_http_server.c
Mitigation
Developers can disable the processing of PUT requests by ending the processing of a PUT request in an application callback request notify function.
Credit
Discovered by Kelly Patterson of Cisco Talos.
https://talosintelligence.com/vulnerability_reports/
Timeline
2025-01-23 - Public Release
2025-04-06 - Release of GHSA-chhp-gmxc-46rq (CVE-2025-2259) that is a more complete fix of this issue