CVE-2025-52471
Published: 24 June 2025
Summary
CVE-2025-52471 is a high-severity Wrap or Wraparound (CWE-191) vulnerability in Espressif Esp-Idf. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 17.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
An integer underflow vulnerability (CWE-191) exists in the ESP-NOW protocol implementation inside the ESP Wi-Fi component of the Espressif IoT Development Framework (ESP-IDF). The flaw affects versions 5.4.1, 5.3.3, 5.2.5, and 5.1.6 and originates from missing validation of user-supplied data length values inside the packet receive function, which can produce out-of-bounds memory access and arbitrary memory writes. On devices lacking memory protection, the condition may be leveraged for remote code execution.
An unauthenticated network attacker can trigger the issue by sending a crafted ESP-NOW frame that supplies a negative or malformed length field, resulting in high-impact confidentiality, integrity, and availability consequences on the target device. The CVSS 4.0 score of 7.2 reflects network attack vector, low complexity, and no required user interaction or privileges.
Patches that add comprehensive length validation during packet reception are available in ESP-IDF 5.4.2, 5.3.4, 5.2.6, and corresponding later point releases; the referenced commits document the exact changes. For ESP-IDF v5.3 and earlier branches, application code can mitigate exposure by checking that the data_len parameter passed to the RX callback registered via esp_now_register_recv_cb is positive before further processing. No application-level workaround exists for the v5.4 series, so upgrading is required.
EPSS remains low and unchanged at 0.0171 with no material upward trajectory after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-19059
Vulnerability details
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. An integer underflow vulnerability has been identified in the ESP-NOW protocol implementation within the ESP Wi-Fi component of versions 5.4.1, 5.3.3, 5.2.5, and 5.1.6 of the ESP-IDF framework. This issue…
more
stems from insufficient validation of user-supplied data length in the packet receive function. Under certain conditions, this may lead to out-of-bounds memory access and may allow arbitrary memory write operations. On systems without a memory protection scheme, this behavior could potentially be used to achieve remote code execution (RCE) on the target device. In versions 5.4.2, 5.3.4, 5.2.6, and 5.1.6, ESP-NOW has added more comprehensive validation logic on user-supplied data length during packet reception to prevent integer underflow caused by negative value calculations. For ESP-IDF v5.3 and earlier, a workaround can be applied by validating that the `data_len` parameter received in the RX callback (registered via `esp_now_register_recv_cb()`) is a positive value before further processing. For ESP-IDF v5.4 and later, no application-level workaround is available. Users are advised to upgrade to a patched version of ESP-IDF to take advantage of the built-in mitigation.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.