References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Change History

The security fix for CVE-2025-0728 in eclipse-threadx NetX Duo refactors error handling in the HTTP server PUT process to use a shared cleanup label, but this unified cleanup path unconditionally calls fx_file_close() even when the file was never successfully opened. Multiple error branches jump to the shared cleanup label before any file open operation has occurred, causing fx_file_close() to operate on an uninitialized file handle, leading to undefined behavior, double-close issues, or memory corruption.

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-415

CWE-459

CWE-908

https://gitlab.eclipse.org/security/cve-assignment/-/work_items/123

[{"vendor":"Eclipse Foundation","product":"Eclipse ThreadX - NetX Duo","defaultStatus":"unaffected","repo":"https://github.com/eclipse-threadx/netxduo","versions":[{"version":"6.4.2","lessThanOrEqual":"6.5.0.202601","versionType":"semver","status":"affected"}]}]