CVE-2025-40907
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Summary
FCGI versions 0.44 through 0.82, for Perl, include a vulnerable version of the FastCGI fcgi2 (aka fcgi) library.
The included FastCGI library is affected by CVE-2025-23016, causing an integer overflow (and resultant heap-based buffer overflow) via crafted nameLen or valueLen values in data to the IPC socket. This occurs in ReadParams in fcgiapp.c.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| ETHER | FCGI | 0.44 <= 0.82 | affected |
Weaknesses
- CWE-1395: CWE-1395: Dependency on Vulnerable Third-Party Component
- CWE-190: CWE-190 Integer Overflow or Wraparound
- CWE-122: CWE-122 Heap-based Buffer Overflow
Workarounds
Updating to version 2.4.5 of the included fcgi2 library and rebuilding the Perl module will protect against the vulnerability.
We also recommend limiting potential remote access to the FastCGI socket by declaring it as a UNIX socket.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
References
- http://www.openwall.com/lists/oss-security/2025/04/23/4
- https://github.com/FastCGI-Archives/fcgi2/issues/67
- https://github.com/FastCGI-Archives/fcgi2/releases/tag/2.4.5
- https://www.synacktiv.com/en/publications/cve-2025-23016-exploiting-the-fastcgi-library
- https://github.com/perl-catalyst/FCGI/issues/14
- https://patch-diff.githubusercontent.com/raw/FastCGI-Archives/fcgi2/pull/74.patch
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.