CVSS: 9.4EPSS: 0%CPEs: 3EXPL: 0CVE-2025-12383 – Race Condition allows Bypass of Trust Restrictions
https://notcve.org/view.php?id=CVE-2025-12383
18 Nov 2025 — In Eclipse Jersey versions 2.45, 3.0.16, 3.1.9 a race condition can cause ignoring of critical SSL configurations - such as mutual authentication, custom key/trust stores, and other security settings. This issue may result in SSLHandshakeException under normal circumstances, but under certain conditions, it could lead to unauthorized trust in insecure servers (see PoC) • https://gitlab.eclipse.org/security/cve-assignment/-/issues/74 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-11965
https://notcve.org/view.php?id=CVE-2025-11965
22 Oct 2025 — In Eclipse Vert.x versions [4.0.0, 4.5.21] and [5.0.0, 5.0.4], a StaticHandler configuration for restricting access to hidden files fails to restrict access to hidden directories, allowing unauthorized users to retrieve files within them (e.g. '.git/config'). • https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/304 • CWE-552: Files or Directories Accessible to External Parties •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2025-11966
https://notcve.org/view.php?id=CVE-2025-11966
22 Oct 2025 — In Eclipse Vert.x versions [4.0.0, 4.5.21] and [5.0.0, 5.0.4], when "directory listing" is enabled, file and directory names are inserted into generated HTML without proper escaping in the href, title, and link attributes. An attacker who can create or rename files or directories within a served path can craft filenames containing malicious script or HTML content, leading to stored cross-site scripting (XSS) that executes in the context of users viewing the affected directory listing. • https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/303 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-55086
https://notcve.org/view.php?id=CVE-2025-55086
20 Oct 2025 — In NetXDuo version before 6.4.4, a networking support module for Eclipse Foundation ThreadX, in the DHCPV6 client there was an unchecked index extracting the server DUID from the server reply. With a crafted packet, an attacker could cause an out of memory read. • https://github.com/eclipse-threadx/netxduo/security/advisories/GHSA-99pw-cp79-2j5j • CWE-125: Out-of-bounds Read CWE-1285: Improper Validation of Specified Index, Position, or Offset in Input •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-55085 – Web http client: Unchecked Server-Side Malicious Packet Issue
https://notcve.org/view.php?id=CVE-2025-55085
17 Oct 2025 — In NextX Duo before 6.4.4, in the HTTP client module, the network support code for Eclipse Foundation ThreadX, the parsing of HTTP header fields was missing bounds verification. A crafted server response could cause undefined behavior. • https://github.com/eclipse-threadx/netxduo/security/advisories/GHSA-9c77-rgp9-c2g2 • CWE-125: Out-of-bounds Read CWE-1286: Improper Validation of Syntactic Correctness of Input •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-55087
https://notcve.org/view.php?id=CVE-2025-55087
17 Oct 2025 — In NextX Duo's snmp addon versions before 6.4.4, a part of the Eclipse Foundation ThreadX, an attacker could cause an out-of-bound read by a crafted SNMPv3 security parameters. • https://github.com/eclipse-threadx/netxduo/security/advisories/GHSA-v474-mv4g-v8cx • CWE-125: Out-of-bounds Read CWE-1285: Improper Validation of Specified Index, Position, or Offset in Input •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-55100 – Potential out-of-bounds read in _ux_host_class_audio10_sam_parse_func()
https://notcve.org/view.php?id=CVE-2025-55100
17 Oct 2025 — In USBX before 6.4.3, the USB support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _ux_host_class_audio10_sam_parse_func() when parsing a list of sampling frequencies. • https://github.com/eclipse-threadx/usbx/security/advisories/GHSA-j253-w29r-9m48 • CWE-125: Out-of-bounds Read •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-55099 – Potential out-of-bounds read in _ux_host_class_audio_alternate_setting_locate()
https://notcve.org/view.php?id=CVE-2025-55099
17 Oct 2025 — In USBX before 6.4.3, the USB support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _ux_host_class_audio_alternate_setting_locate() when parsing a descriptor with attacker-controlled frequency fields. • https://github.com/eclipse-threadx/usbx/security/advisories/GHSA-93mv-fcpr-9488 • CWE-125: Out-of-bounds Read •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-55098 – Potential out-of-bounds read in _ux_host_class_audio_device_type_get()
https://notcve.org/view.php?id=CVE-2025-55098
17 Oct 2025 — In USBX before 6.4.3, the USB support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _ux_host_class_audio_device_type_get() when parsing a descriptor of an USB audio device. • https://github.com/eclipse-threadx/usbx/security/advisories/GHSA-4jc2-x5hv-46fq • CWE-125: Out-of-bounds Read •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-55097 – Potential out-of-bounds read in _ux_host_class_audio_streaming_sampling_get()
https://notcve.org/view.php?id=CVE-2025-55097
17 Oct 2025 — In USBX before 6.4.3, the USB support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _ux_host_class_audio_streaming_sampling_get() when parsing a descriptor of an USB streaming device. • https://github.com/eclipse-threadx/usbx/security/advisories/GHSA-r6h5-fmhc-v3j7 • CWE-125: Out-of-bounds Read •