What is the CVSS score of CVE-2025-47869?

CVE-2025-47869 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Nuttx are affected by CVE-2025-47869?

Apache NuttX RTOS versions 6.22-12.8.x contain a critical remote buffer overflow in the xmlrpc example application that allows unauthenticated attackers to compromise system confidentiality,…. A patch is available.

How to fix or mitigate CVE-2025-47869?

Within 24 hours: Identify all systems running Apache NuttX RTOS versions 6.22-12.8.x and determine whether the xmlrpc example application or derivative code is deployed. Within 7 days: Apply the vendor-released patch to upgrade to NuttX 12.9 or later, or apply the specific security fix for affected versions per Apache NuttX advisory. Within 30 days: Conduct code review of production systems to identify any custom implementations based on the vulnerable xmlrpc example and apply equivalent patches to those codebases.

Nuttx CVE-2025-47869

EUVD-2025-18388 CRITICAL

Buffer Overflow (CWE-119)

2025-06-16 security@apache.org

Buffer Overflow Apache Nuttx

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 05:54 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

12.9.0

EUVD ID Assigned

Mar 14, 2026 - 21:59 euvd

EUVD-2025-18388

Analysis Generated

Mar 14, 2026 - 21:59 vuln.today

CVE Published

Jun 16, 2025 - 11:15 nvd

CRITICAL 9.8

DescriptionNVD

Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability was discovered in Apache NuttX RTOS apps/exapmles/xmlrpc application. In this example application device stats structure that stored remotely provided parameters had hardcoded buffer size which could lead to buffer overflow. Structure members buffers were updated to valid size of CONFIG_XMLRPC_STRINGSIZE+1.

This issue affects Apache NuttX RTOS users that may have used or base their code on example application as presented in releases from 6.22 before 12.9.0.

Users of XMLRPC in Apache NuttX RTOS are advised to review their code for this pattern and update buffer sizes as presented in the version of the example in release 12.9.0.

AnalysisAI

Buffer overflow vulnerability in the Apache NuttX RTOS xmlrpc example application where device statistics structures use hardcoded buffer sizes that do not account for the CONFIG_XMLRPC_STRINGSIZE configuration parameter, allowing remote attackers to overflow memory without authentication. This affects Apache NuttX RTOS versions 6.22 through 12.8.x, with a critical CVSS score of 9.8 indicating high severity across confidentiality, integrity, and availability. The vulnerability is particularly dangerous because developers may have copied the vulnerable example code into production implementations, extending the attack surface beyond the example application itself.

Technical ContextAI

The vulnerability exists in Apache NuttX RTOS (CPE: cpe:2.3:o:apache:nuttx:*:*:*:*:*:*:*:*) apps/examples/xmlrpc application, which implements XML-RPC protocol support. The root cause is CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), manifesting as a classic stack or heap buffer overflow. The device stats structure accepts remotely-provided parameters into fixed-size character arrays without bounds checking against the actual configured string size limit (CONFIG_XMLRPC_STRINGSIZE). When remote XML-RPC clients send payloads exceeding the hardcoded buffer dimensions, they can write beyond allocated memory boundaries. The fix involves dynamically sizing buffer members to CONFIG_XMLRPC_STRINGSIZE+1 to match the actual string length limits enforced elsewhere in the XMLRPC implementation, ensuring consistency between configuration and allocation.

RemediationAI

Upgrade Apache NuttX RTOS to version 12.9.0 or later; details: The official fix updates device stats structure buffer members to size CONFIG_XMLRPC_STRINGSIZE+1, ensuring dynamic sizing based on configuration. Code Review: Audit custom implementations derived from the xmlrpc example application; details: Users who copied or adapted apps/examples/xmlrpc code must review their implementations and apply the same buffer sizing correction: replace hardcoded sizes with CONFIG_XMLRPC_STRINGSIZE+1 or dynamically allocated buffers. Workaround (Temporary): Restrict network access to XMLRPC interface if not essential; details: Disable or limit remote access to XMLRPC endpoints using firewall rules or NuttX network configuration to reduce exposure while awaiting patching. Configuration: Verify CONFIG_XMLRPC_STRINGSIZE setting; details: Ensure that any custom XMLRPC implementations enforce maximum input sizes consistent with the buffer allocation—do not allow configuration to exceed allocated memory.

More from same product – last 7 days

CVE-2025-48977 HIGH This Week

8.5 May 28

Path traversal in Apache Ignite 2.0.0 through 2.17.0 lets authenticated REST API users read arbitrary files on the serve

CVE-2026-42782 HIGH This Week

7.2 May 25

Code execution via Groovy sandbox bypass in Apache Syncope 3.0 through 3.0.16, 4.0 through 4.0.5, and 4.1.0 allows a hig

CVE-2026-43827 MEDIUM This Month

5.9 May 25

Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0

CVE-2026-43828 MEDIUM This Month

5.9 May 25

Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue

CVE-2026-44598 MEDIUM This Month

5.1 May 25

With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'), Server-Side Request Forgery (SSRF) vu

CVE-2025-47869 vulnerability details – vuln.today

Back

Nuttx CVE-2025-47869

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code