None,CVE-2025-2260
A denial of service vulnerability exists in the NetX HTTP server functionality of Eclipse ThreadX NetX Duo git commit 6c8e9d1. A specially crafted network packet can lead to denial of service. An attacker can send a malicious packet to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Eclipse ThreadX NetX Duo git commit 6c8e9d1
Eclipse ThreadX NetX Duo - https://github.com/eclipse-threadx/netxduo
6.5 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE-459 - Incomplete Cleanup
Eclipse ThreadX NetX Duo is an industrial-grade TCP/IP network stack tailored specifically for deeply embedded real-time and IoT applications. Eclipse ThreadX NetX Duo offers a dual network stack supporting both IPv4 and IPv6
While processing an HTTP PUT request, the HTTP server will create the requested file and open it for writing. If an error occurs after the file is opened, the file is not properly closed. After that, any subsequent HTTP requests involving a file resource will result in the server responding with a 404 file not found error. This vulnerability affects both HTTP server implementations within NetX Duo.
As you can see in the code below, when an error occurs after the file has been opened, the function _nx_web_http_server_put_process does not properly close the file. A malicious actor can cause this behavior by providing a Content-Length value that is larger than the data contained in the first packet and then fail to send any additional data. The larger Content-Length value will cause the code to attempt to receive an additional packet at [2]. When no additional data is received that call times out, and execution flow will enter the error condition at [3] which leads to an early return at [4] without calling fx_file_close.
File: netxduo\addons\web\nx_web_http_server.c
4213: VOID _nx_web_http_server_put_process(NX_WEB_HTTP_SERVER *server_ptr, NX_PACKET *packet_ptr)
4214: {
...
4454: /* Open the specified file for writing. */
4455: status = fx_file_open(server_ptr -> nx_web_http_server_media_ptr, &(server_ptr -> nx_web_http_server_file), server_ptr -> nx_web_http_server_request_resource, FX_OPEN_FOR_WRITE); /*[1]*/
...
4561: /* If necessary, receive more packets from the TCP socket to complete the write request. */
4562: while (length || server_ptr -> nx_web_http_server_request_chunked)
4563: {
4564:
4565: /* Wait for a request. */
4566: status = _nx_web_http_server_packet_get(server_ptr, &data_packet_ptr); /*[2]*/
4567:
4568: /* Check the return status. */
4569: if (status != NX_SUCCESS) /*[3]*/
4570: {
4571:
4572: if (status == NX_WEB_HTTP_GET_DONE)
4573: {
4574: break;
4575: }
4576:
4577: /* Send response back to HTTP Client. */
4578: _nx_web_http_server_response_send(server_ptr, NX_WEB_HTTP_STATUS_INTERNAL_ERROR,
4579: sizeof(NX_WEB_HTTP_STATUS_INTERNAL_ERROR) - 1,
4580: "NetX HTTP Receive Timeout",
4581: sizeof("NetX HTTP Receive Timeout") - 1, NX_NULL, 0);
4582:
4583: /* Error, return to caller. */
4584: return; /*[4]*/
4585: }
The NetX Component HTTP server implementation uses a single file pointer in it’s instance object. This same file pointer variable is used for processing each request. For example, when processing a subsequent GET request the file pointer server_ptr -> nx_http_server_file at [5] below is the same variable that was used above in _nx_web_http_server_put_process at [1]. Below is the code for processing a GET request.
File: netxduo\addons\web\nx_web_http_server.c
3670: VOID _nx_web_http_server_get_process(NX_WEB_HTTP_SERVER *server_ptr, UINT request_type, NX_PACKET *packet_ptr)
3671: {
...
3998: /* Open the specified file for reading. */
3999: status = fx_file_open(server_ptr -> nx_web_http_server_media_ptr, &(server_ptr -> nx_web_http_server_file), server_ptr -> nx_web_http_server_request_resource, FX_OPEN_FOR_READ); /*[5]*/
The function used to open a file _fxe_file_open checks if the provided file pointer is already open at [6] and will return an error rather than opening the requested file. Therefore any subsequent HTTP requests involving any file resource will result in the HTTP server responding with a 404 file not found error.
File: filex\common\src\fxe_file_open.c
77: UINT _fxe_file_open(FX_MEDIA *media_ptr, FX_FILE *file_ptr, CHAR *file_name, UINT open_type, UINT file_control_block_size)
78: {
...
103: /* Check for a duplicate file open. */
104:
105: /* Loop to search the list for the same file handle. */
106: current_file = media_ptr -> fx_media_opened_file_list;
107: open_count = media_ptr -> fx_media_opened_file_count;
108:
109: while (open_count--)
110: {
111:
112: /* See if a match exists. */
113: if (file_ptr == current_file) /*[6]*/
114: {
115:
116: /* Release protection. */
117: FX_UNPROTECT
118:
119: /* Return error. */
120: return(FX_PTR_ERROR);
121: }
122:
123: /* Move to the next opened file. */
124: current_file = current_file -> fx_file_opened_next;
125: }
This vulnerability affects the NetX Duo Web Component HTTP Server implementation which can be found in netxduo\addons\web\nx_web_http_server.c
Developers can disable the processing of PUT requests by ending the processing of a PUT request in an application callback request notify function.
This vulnerability affects the NetX Duo Component HTTP Server implementation which can be found in netxduo\addons\http\nxd_http_server.c
Developers can disable the processing of PUT requests by ending the processing of a PUT request in an application callback request notify function.
Eclipse has provided an update and released an advisory: https://github.com/eclipse-threadx/netxduo/security/advisories/GHSA-f42f-6fvv-xqx3
2024-10-31 - Initial Vendor Contact
2024-10-31 - Vendor Disclosure
2025-03-04 - Vendor Patch Release
2025-04-14 - Public Release
Discovered by Kelly Patterson of Cisco Talos.