EUVD-2025-18388CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Tags
Description
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability was discovered in Apache NuttX RTOS apps/exapmles/xmlrpc application. In this example application device stats structure that stored remotely provided parameters had hardcoded buffer size which could lead to buffer overflow. Structure members buffers were updated to valid size of CONFIG_XMLRPC_STRINGSIZE+1. This issue affects Apache NuttX RTOS users that may have used or base their code on example application as presented in releases from 6.22 before 12.9.0. Users of XMLRPC in Apache NuttX RTOS are advised to review their code for this pattern and update buffer sizes as presented in the version of the example in release 12.9.0.
Analysis
Buffer overflow vulnerability in the Apache NuttX RTOS xmlrpc example application where device statistics structures use hardcoded buffer sizes that do not account for the CONFIG_XMLRPC_STRINGSIZE configuration parameter, allowing remote attackers to overflow memory without authentication. This affects Apache NuttX RTOS versions 6.22 through 12.8.x, with a critical CVSS score of 9.8 indicating high severity across confidentiality, integrity, and availability. The vulnerability is particularly dangerous because developers may have copied the vulnerable example code into production implementations, extending the attack surface beyond the example application itself.
Technical Context
The vulnerability exists in Apache NuttX RTOS (CPE: cpe:2.3:o:apache:nuttx:*:*:*:*:*:*:*:*) apps/examples/xmlrpc application, which implements XML-RPC protocol support. The root cause is CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), manifesting as a classic stack or heap buffer overflow. The device stats structure accepts remotely-provided parameters into fixed-size character arrays without bounds checking against the actual configured string size limit (CONFIG_XMLRPC_STRINGSIZE). When remote XML-RPC clients send payloads exceeding the hardcoded buffer dimensions, they can write beyond allocated memory boundaries. The fix involves dynamically sizing buffer members to CONFIG_XMLRPC_STRINGSIZE+1 to match the actual string length limits enforced elsewhere in the XMLRPC implementation, ensuring consistency between configuration and allocation.
Affected Products
Apache NuttX RTOS (6.22 through 12.8.x)
Remediation
Upgrade Apache NuttX RTOS to version 12.9.0 or later; details: The official fix updates device stats structure buffer members to size CONFIG_XMLRPC_STRINGSIZE+1, ensuring dynamic sizing based on configuration. Code Review: Audit custom implementations derived from the xmlrpc example application; details: Users who copied or adapted apps/examples/xmlrpc code must review their implementations and apply the same buffer sizing correction: replace hardcoded sizes with CONFIG_XMLRPC_STRINGSIZE+1 or dynamically allocated buffers. Workaround (Temporary): Restrict network access to XMLRPC interface if not essential; details: Disable or limit remote access to XMLRPC endpoints using firewall rules or NuttX network configuration to reduce exposure while awaiting patching. Configuration: Verify CONFIG_XMLRPC_STRINGSIZE setting; details: Ensure that any custom XMLRPC implementations enforce maximum input sizes consistent with the buffer allocation—do not allow configuration to exceed allocated memory.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today