CVE-2025-55297: 
Espressif ESP-IDF Tools vulnerability analysis and mitigation

ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. The BluFi example bundled in ESP-IDF was vulnerable to memory overflows in two areas: Wi-Fi credential handling and Diffie–Hellman key exchange. This vulnerability was discovered on August 21, 2025 and is tracked as CVE-2025-55297. The vulnerability affects versions prior to 5.4.1, 5.3.3, 5.1.6, and 5.0.9 (GitHub Advisory).

The vulnerability manifests in two key areas: Wi-Fi credential handling and Diffie–Hellman key exchange. In the credential handling functions, strncpy was incorrectly used with the input length instead of the size of the destination buffer. During the Diffie–Hellman key exchange, a fixed-size buffer was used to store the public key without validating its size against peer-supplied parameters. The vulnerability has been assigned a CVSS v4.0 base score of 5.2 (Medium) with the vector string CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U (NVD).

These vulnerabilities could allow an attacker to overflow buffers located in global memory. The buffer overflow in the Diffie–Hellman key exchange could result in memory corruption or unexpected behavior. The impact is particularly concerning as it affects the security of the Wi-Fi provisioning process (GitHub Advisory).

The vulnerability has been fixed in versions 5.4.1, 5.3.3, 5.1.6, and 5.0.9. Users are recommended to upgrade to these patched versions. For those who cannot upgrade, the fixes can be cherry-picked from the provided commits. Additionally, for higher security requirements, it is recommended to implement custom encryption, decryption, authentication, and checksum algorithms by customizing the security callbacks in the BluFi framework (GitHub Advisory).