Golioth Firmware SDK version 0.10.0 prior to 0.22.0, fixed in commit 48f521b, contain a stack-based buffer overflow in Payload Utils. The golioth_payload_as_int() and golioth_payload_as_float() helpers copy network-supplied payload data into fixed-size stack buffers using memcpy() with a length derived from payload_size. The only length checks are guarded by assert(); in release builds, the asserts are compiled out and memcpy() may copy an unbounded payload_size.
Payloads larger than 12 bytes (int) or 32 bytes (float) can overflow the stack, resulting in a crash/denial of service. This is reachable via LightDB State on_payload with a malicious server or MITM.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
Present
Additional conditions required
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
None
No data leak
Integrity
None
No data modification
Availability
Low
Partial disruption
CVSS Vector v4.0
Weakness Type (CWE)
References 5
https://blog.secmate.dev/posts/golioth-vulnerabilities-disclosure/
disclosure@vulncheck.com
https://github.com/golioth/golioth-firmware-sdk/commit/48f521bcc0187ada2b9cbdad…
disclosure@vulncheck.com
https://github.com/golioth/golioth-firmware-sdk/releases/tag/v0.22.0
disclosure@vulncheck.com
https://secmate.dev/disclosures/SECMATE-2025-0015
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/golioth-firmware-sdk-payload-utils-stack-b…
disclosure@vulncheck.com