Executive Summary

CVE-2025-55083 is a moderate severity vulnerability in the NetX Duo library (Eclipse ThreadX) versions before 6.4.4. It occurs in the function that processes Pre-Shared Key (PSK) identities in a TLS ClientHello message. The function performs a bounds check on the PSK identity list length but fails to account for a 2-byte offset, causing it to read beyond the buffer boundary by up to two bytes. This off-by-two buffer over-read can lead to reading memory outside the intended buffer during TLS ClientHello parsing. [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can be exploited remotely over the network without any privileges or user interaction, with low attack complexity. The impact is limited to a low confidentiality loss due to the out-of-bounds read. There are no effects on integrity or availability. [1]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring network traffic for TLS ClientHello messages containing PSK extensions and analyzing them for malformed PSK identity list lengths that could trigger the out-of-bounds read. Since the vulnerability occurs during TLS ClientHello PSK extension processing, using packet capture tools like Wireshark or tcpdump to capture TLS handshakes and inspecting the ClientHello messages for abnormal PSK extension lengths may help. However, no specific detection commands or signatures are provided in the available resources. [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade NetX Duo to version 6.4.4 or later, where the vulnerability has been patched. Since the vulnerability can be exploited remotely without privileges or user interaction, applying the official patch from Eclipse Foundation is critical. Additionally, monitoring network traffic for suspicious TLS ClientHello messages and restricting untrusted network access to affected systems can help reduce exposure until the patch is applied. [1]

Useful 0 Not Useful 0