Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-55297

CVE-2025-55297: Espressif ESP-IDF Buffer Overflow Flaw

CVE-2025-55297 is a buffer overflow vulnerability in Espressif ESP-IDF affecting BluFi example code in Wi-Fi credential handling and Diffie-Hellman key exchange. This article covers technical details, affected versions, and patches.

Published:

CVE-2025-55297 Overview

CVE-2025-55297 affects the Espressif IoT Development Framework (ESP-IDF), specifically the BluFi example bundled with the framework. The BluFi example contains memory overflow conditions in two distinct code paths: Wi-Fi credential handling and the Diffie–Hellman key exchange routine. An attacker within Bluetooth Low Energy (BLE) range can send malformed provisioning data to trigger buffer overflows in blufi_example_main.c and blufi_security.c. The flaw is classified under CWE-120 (Classic Buffer Overflow). Espressif has remediated the issue in ESP-IDF versions 5.4.1, 5.3.3, 5.1.6, and 5.0.9.

Critical Impact

An adjacent-network attacker can corrupt device memory on ESP32-family IoT devices during BluFi provisioning, leading to potential code execution or denial of service.

Affected Products

  • Espressif ESP-IDF versions prior to 5.0.9
  • Espressif ESP-IDF 5.1.x prior to 5.1.6
  • Espressif ESP-IDF 5.3.x prior to 5.3.3 and 5.4.x prior to 5.4.1

Discovery Timeline

  • 2025-08-21 - CVE-2025-55297 published to NVD
  • 2026-01-22 - Last updated in NVD database

Technical Details for CVE-2025-55297

Vulnerability Analysis

The BluFi example provides BLE-based Wi-Fi provisioning for ESP32 devices. The vulnerable code paths process attacker-controlled length fields without validating them against destination buffer sizes. When BluFi events such as ESP_BLUFI_EVENT_RECV_STA_SSID, ESP_BLUFI_EVENT_RECV_STA_PASSWD, ESP_BLUFI_EVENT_RECV_SOFTAP_SSID, and ESP_BLUFI_EVENT_RECV_SOFTAP_PASSWD are received, the example calls strncpy() using the caller-supplied length directly. Oversized inputs overflow fixed-size fields inside sta_config.sta.ssid, sta_config.sta.password, and the ap_config equivalents.

A second class of overflow exists in blufi_security.c, where the Diffie–Hellman key exchange used fixed 128-byte buffers (self_public_key and share_key) without robust bounds checks on derived key material. Memory corruption in these structures during the key agreement phase can crash the device or corrupt adjacent state.

Root Cause

The root cause is missing length validation before copying attacker-controlled BluFi frame data into fixed-size stack and structure buffers. The example code trusted the ssid_len, passwd_len, and DH key length parameters supplied over BLE without comparing them against destination buffer dimensions.

Attack Vector

Exploitation requires BLE proximity to a target ESP32 device that runs firmware derived from the BluFi example and is in provisioning mode. The attacker connects over GATT and sends crafted BluFi frames with oversized SSID, password, or DH key length fields. No authentication is required prior to BluFi provisioning.

c
// Patch excerpt from examples/bluetooth/blufi/main/blufi_example_main.c
// Source: https://github.com/espressif/esp-idf/commit/12b7a9e6d78012ab9184b7ccdb5524364bf7e345
case ESP_BLUFI_EVENT_RECV_STA_SSID:
    if (param->sta_ssid.ssid_len >= sizeof(sta_config.sta.ssid)/sizeof(sta_config.sta.ssid[0])) {
        esp_blufi_send_error_info(ESP_BLUFI_DATA_FORMAT_ERROR);
        BLUFI_INFO("Invalid STA SSID\n");
        break;
    }
    strncpy((char *)sta_config.sta.ssid, (char *)param->sta_ssid.ssid, param->sta_ssid.ssid_len);
    sta_config.sta.ssid[param->sta_ssid.ssid_len] = '\0';
    break;
case ESP_BLUFI_EVENT_RECV_STA_PASSWD:
    if (param->sta_passwd.passwd_len >= sizeof(sta_config.sta.password)/sizeof(sta_config.sta.password[0])) {
        esp_blufi_send_error_info(ESP_BLUFI_DATA_FORMAT_ERROR);
        BLUFI_INFO("Invalid STA PASSWORD\n");
        break;
    }
    strncpy((char *)sta_config.sta.password, (char *)param->sta_passwd.passwd, param->sta_passwd.passwd_len);
    break;

The added length checks before each strncpy() call enforce the buffer boundary and abort processing with ESP_BLUFI_DATA_FORMAT_ERROR when oversized input is detected.

Detection Methods for CVE-2025-55297

Indicators of Compromise

  • Unexpected device reboots, watchdog resets, or LoadProhibited/StoreProhibited panic messages on ESP32 serial logs during or after BLE provisioning.
  • BluFi error frames carrying ESP_BLUFI_DATA_FORMAT_ERROR originating from unknown BLE peers.
  • BLE GATT connections to the BluFi service from devices outside the expected provisioning workflow.

Detection Strategies

  • Inventory firmware images and identify those built against ESP-IDF versions prior to 5.4.1, 5.3.3, 5.1.6, or 5.0.9 that ship code derived from the BluFi example.
  • Review device telemetry for crash signatures correlated with BLE provisioning events, particularly around blufi_example_main.c event handlers.
  • Use BLE traffic capture tools to flag BluFi frames with ssid_len or passwd_len values at or above 32 bytes, and DH public key payloads exceeding 128 bytes.

Monitoring Recommendations

  • Aggregate ESP32 serial and remote logs to a central log store to correlate provisioning failures across fleets.
  • Alert on repeated BluFi provisioning attempts from the same BLE peer address within short time windows.
  • Track firmware version build metadata so security teams can quickly identify devices running vulnerable ESP-IDF versions.

How to Mitigate CVE-2025-55297

Immediate Actions Required

  • Update the ESP-IDF toolchain to 5.4.1, 5.3.3, 5.1.6, or 5.0.9 (whichever matches the supported branch) and rebuild firmware that uses the BluFi example.
  • Disable the BluFi provisioning interface in production firmware where it is not required, or gate it behind a physical user action.
  • Audit custom forks of the BluFi example to apply the same length checks before strncpy() and DH key handling.

Patch Information

Espressif published fixes across multiple commits referenced in GHSA-9w88-r2vm-qfc4. Key changes include length validation in blufi_example_main.c for STA/SoftAP SSID and password handlers (commit 12b7a9e) and hardening of the Diffie–Hellman key exchange in blufi_security.c (commit 3fc6c93 and commit 5f93ec3).

Workarounds

  • Restrict BluFi advertising to a short window triggered only by a physical button press, reducing the BLE attack surface.
  • Run provisioning in a controlled RF environment, such as a shielded room or Faraday enclosure, when bringing devices online.
  • Backport the upstream length-check patches into custom firmware that cannot immediately move to a supported ESP-IDF release.
bash
# Update ESP-IDF to a patched release and rebuild firmware
cd $IDF_PATH
git fetch origin
git checkout v5.4.1   # or v5.3.3, v5.1.6, v5.0.9 depending on the branch in use
git submodule update --init --recursive
./install.sh
. ./export.sh
idf.py fullclean
idf.py build flash monitor

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.