This version fixes a significant number of security vulnerabilities and provides a few bug fixes as well. Additionnally, an mplementation of the ECDHE_PSK cipher suites is now available.
Vulnerabilities addressed (links will not work util the Eclipse security team publishes the advisories)
- CVE-2025-55081 Potential out of bound read in _nx_secure_tls_process_clienthello()
- CVE-2025-55082 Out of bound read and possible info leak in _nx_secure_tls_psk_identity_find()
- CVE-2025-55083 Broken bounds check in _nx_secure_tls_process_clienthello_psk_extension() doesn't account for offset
- CVE-2025-55084 Off-by-one out of bound read in _nx_secure_tls_proc_clienthello_supported_versions_extension()
- CVE-2025-55090 Potential out of bound read issue in _nx_ipv4_packet_receive()
- CVE-2025-55091 Potential out of bound read in _nx_ip_packet_receive()
- CVE-2025-55092 Potential out of bound read in _nx_ipv4_option_process()
- CVE-2025-55093 Out of bound read and write in _nx_ipv4_packet_receive() when handling unicast DHCP messages
- CVE-2025-55094 Potential out-of-bounds read in _nx_icmpv6_validate_options()
Upcoming deprecations
We have identified two components that will be deprecated in the next minor release and completely removed in a subsequent release.
Azure IoT Middleware for Azure RTOS
Since Microsoft is no longer directly involved in the Eclipse ThreadX project, the project team does not have access to Azure IoT infrastructure. Accordingly, we cannot properly maintain the Azure IoT Middleware addon. Unless users of Azure IoT are willing to take over maintenance, we will remove the addon from our codebase.
Microsoft still maintains its Azure SDK for Embedded C, upon which the ThreadX Azure IoT Middleware add-on is built. It represents a potential migration path for users.
IPSEC
The Eclipse ThreadX codebase never contained an IPsec implementation, but there are hooks to add one, as such a component was available commercially before ThreadX was made open source. We intend to remove those hooks in the future unless contributors to the project add an open source IPsec stack to NetX Duo.
NetX Duo HTTP Server
The NetX Duo HTTP Server is insecure as it does not support TLS. It was initially added to the code base as a troubleshooting aid and should not be used in production applications. We strongly recommend that developers use the NextX Duo Web Server instead, since it supports TLS.
What's Changed
- Websocket improvement headers. by @joelguittet in #330
- Implementation of ECDHE_PSK cipher suites. by @igortomiatti in #326
- #312 Handle HTTP code 429. by @mdkf in #313
- Fix HKDF implementation to prevent buffer overrun when compiled with NX_SECURE_KEY_CLEAR. by @sjscymru in #317
- Fixed ECDHE_PSK cipher suites implementation. by @fdesbiens in #342
CI
- Fixed the FileX and ThreadX dependencies by @hnguyenHWI in #318
- Fixed the build script and submodule definitions by @fdesbiens in #319
New Contributors
- @joelguittet made their first contribution in #330
- @igortomiatti made their first contribution in #326
- @mdkf made their first contribution in #313
- @sjscymru made their first contribution in #317
Full Changelog: v6.4.3_rel...v.6.4.4.202503_rel