Golioth Firmware SDK version 0.19.1 prior to 0.22.0, fixed in commit 0e788217, contain an out-of-bounds read due to improper null termination of a blockwise transfer path. blockwise_transfer_init() accepts a path whose length equals CONFIG_GOLIOTH_COAP_MAX_PATH_LEN and copies it using strncpy() without guaranteeing a trailing NUL byte, leaving ctx->path unterminated. A later strlen() on this buffer (in golioth_coap_client_get_internal()) can read past the end of the allocation, resulting in a crash/denial of service. The input is application-controlled (not network by default).
Attack Parameters
Attack Vector
Local
Requires local access
Attack Complexity
Low
Easy to exploit
Attack Requirements
Present
Additional conditions required
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
None
No data leak
Integrity
None
No data modification
Availability
Low
Partial disruption
CVSS Vector v4.0
Weakness Type (CWE)
References 5
https://blog.secmate.dev/posts/golioth-vulnerabilities-disclosure/
disclosure@vulncheck.com
https://github.com/golioth/golioth-firmware-sdk/commit/0e788217ab4b61a7c1d9fadd…
disclosure@vulncheck.com
https://github.com/golioth/golioth-firmware-sdk/releases/tag/v0.22.0
disclosure@vulncheck.com
https://secmate.dev/disclosures/SECMATE-2025-0017
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/golioth-firmware-sdk-blockwise-transfer-pa…
disclosure@vulncheck.com