CVE-2025-55083
BaseFortify
Publication date: 2025-10-15
Last updated on: 2025-10-21
Assigner: Eclipse Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| eclipse | threadx_netx_duo | to 6.4.4.202503 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-126 | The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-55083 is a moderate severity vulnerability in the NetX Duo library (Eclipse ThreadX) versions before 6.4.4. It occurs in the function that processes Pre-Shared Key (PSK) identities in a TLS ClientHello message. The function performs a bounds check on the PSK identity list length but fails to account for a 2-byte offset, causing it to read beyond the buffer boundary by up to two bytes. This off-by-two buffer over-read can lead to reading memory outside the intended buffer during TLS ClientHello parsing. [1]
How can this vulnerability impact me? :
This vulnerability can be exploited remotely over the network without any privileges or user interaction, with low attack complexity. The impact is limited to a low confidentiality loss due to the out-of-bounds read. There are no effects on integrity or availability. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring network traffic for TLS ClientHello messages containing PSK extensions and analyzing them for malformed PSK identity list lengths that could trigger the out-of-bounds read. Since the vulnerability occurs during TLS ClientHello PSK extension processing, using packet capture tools like Wireshark or tcpdump to capture TLS handshakes and inspecting the ClientHello messages for abnormal PSK extension lengths may help. However, no specific detection commands or signatures are provided in the available resources. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade NetX Duo to version 6.4.4 or later, where the vulnerability has been patched. Since the vulnerability can be exploited remotely without privileges or user interaction, applying the official patch from Eclipse Foundation is critical. Additionally, monitoring network traffic for suspicious TLS ClientHello messages and restricting untrusted network access to affected systems can help reduce exposure until the patch is applied. [1]