This service release addresses vulnerabilities in the NetX Duo HTTP Server. The same vulnerabilities had been fixed in the NetX Duo Web Server in release v6.4.2.
Please note that the NetX Duo HTTP Server is insecure as it does not support TLS. It was initially added to the code base as a troubleshooting aid and should not be used in production applications. We will deprecate the HTTP server in the next minor release and completely remove it in a subsequent release. We strongly recommend developers to use the NextX Duo Web Server instead since it supports TLS.
What's Changed
- Fix/internal http put by @hnguyenHWI in #304
- Version v6.4.3 by @fdesbiens in #307
- Release version v.6.4.3 by @fdesbiens in #308
Vulnerabilities addressed
CVE-2025-2258: Eclipse ThreadX NetX Duo HTTP component server single PUT request integer underflow vulnerability
CVE-2025-2259: Eclipse ThreadX NetX Duo HTTP Component server chunked PUT request integer underflow
CVE-2025-2260: Eclipse ThreadX NetX Duo HTTP Component server denial of service
New Contributors
- @hnguyenHWI made their first contribution in #304
Full Changelog: v6.4.2_rel...v6.4.3_rel