CVE-2025-52471: 
Espressif ESP-IDF Tools vulnerability analysis and mitigation

ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. An integer underflow vulnerability (CVE-2025-52471) was identified in the ESP-NOW protocol implementation within the ESP Wi-Fi component affecting versions 5.4.1, 5.3.3, 5.2.5, and 5.1.6 of the ESP-IDF framework. The vulnerability was discovered by Xiaobye of DEVCORE Research Team and disclosed on June 24, 2025 (GitHub Advisory).

The vulnerability stems from insufficient validation of user-supplied data length in the packet receive function. The issue is classified as CWE-191 (Integer Underflow) and has received a CVSS v4.0 score of 7.2 HIGH with vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U (NVD).

Under certain conditions, this vulnerability may lead to out-of-bounds memory access and may allow arbitrary memory write operations. On systems without a memory protection scheme, this behavior could potentially be used to achieve remote code execution (RCE) on the target device (GitHub Advisory).

In versions 5.4.2, 5.3.4, 5.2.6, and 5.1.6, ESP-NOW has added more comprehensive validation logic on user-supplied data length during packet reception to prevent integer underflow caused by negative value calculations. For ESP-IDF v5.3 and earlier, a workaround can be applied by validating that the datalen parameter received in the RX callback (registered via espnowregisterrecv_cb()) is a positive value before further processing. For ESP-IDF v5.4 and later, users are advised to upgrade to a patched version of ESP-IDF (GitHub Advisory).