CVE-2025-12233
BaseFortify
Publication date: 2025-10-27
Last updated on: 2026-02-24
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tenda | ch22_firmware | 1.0.0.1 |
| tenda | ch22 | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-120 | The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-12233 is a critical buffer overflow vulnerability in the Tenda CH22 router firmware version 1.0.0.1. It occurs in the fromSafeUrlFilter() function of the /goform/SafeUrlFilter endpoint, where the "page" parameter is processed using the unsafe sprintf function without proper length checks. This allows an attacker to send an input larger than the fixed 256-byte buffer, causing memory corruption by overwriting adjacent memory. The vulnerability can be exploited remotely without authentication by sending an oversized "page" parameter, potentially leading to denial of service, arbitrary code execution, or information leakage. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can severely impact you by allowing remote attackers to crash the router's web server (denial of service), execute arbitrary code on the device (which could lead to full device compromise), or leak sensitive information from device memory. Since exploitation requires no authentication and the exploit is publicly available, the risk is high. This can lead to loss of device availability, unauthorized control, and exposure of confidential data. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious POST requests to the /goform/SafeUrlFilter endpoint containing an oversized "page" parameter exceeding 256 bytes. A practical detection method is to capture and analyze HTTP traffic for such requests. For example, using tcpdump or tshark to filter HTTP POST requests to /goform/SafeUrlFilter and inspecting the "page" parameter size. A sample command to capture such traffic could be: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i '/goform/SafeUrlFilter'. Additionally, using tools like curl to send crafted requests with large "page" parameters can help test if the system is vulnerable. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable /goform/SafeUrlFilter endpoint, for example by firewall rules limiting access to trusted IPs only. Applying input validation to ensure the "page" parameter does not exceed 256 bytes is critical. If possible, update or patch the firmware to a version that replaces unsafe sprintf calls with safer functions like snprintf, or apply vendor-provided patches. If no patch is available, consider disabling the vulnerable service or replacing the affected device. Additionally, applying the principle of least privilege to the service and monitoring for exploit attempts are recommended. [1]