CVE-2025-55084
BaseFortify
Publication date: 2025-10-16
Last updated on: 2025-10-21
Assigner: Eclipse Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| eclipse | threadx_netx_duo | to 6.4.4.202503 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-126 | The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-55084 is a moderate severity vulnerability in NetX Duo (Eclipse ThreadX) versions before 6.4.4. It is an off-by-one out-of-bounds read in the function _nx_secure_tls_proc_clienthello_supported_versions_extension(), which processes the "supported versions" extension in a TLS ClientHello packet. The function incorrectly checks the length and then reads two bytes per iteration without ensuring the second byte is within bounds, leading to a buffer over-read if the extension content length is odd. This can cause information disclosure or application instability. [1]
How can this vulnerability impact me? :
This vulnerability can be exploited remotely without any privileges or user interaction. It may lead to information disclosure due to the out-of-bounds read, or cause application instability. However, it does not impact integrity or availability. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring TLS ClientHello packets for malformed 'supported versions' extensions where the extension content length is odd, potentially causing out-of-bounds reads. Network packet inspection tools like Wireshark or tshark can be used to capture and analyze TLS ClientHello messages. For example, using tshark, you can filter TLS ClientHello packets and inspect the supported_versions extension length field for anomalies. However, no specific detection commands are provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade NetX Duo to version 6.4.4 or later, where this vulnerability is fixed. Avoid using vulnerable versions (prior to 6.4.4). Additionally, applying network-level protections such as filtering or blocking suspicious TLS ClientHello packets with malformed supported versions extensions may help reduce exposure until the update is applied. [1]