CVE-2025-40907

Summary

FCGI versions 0.44 through 0.82, for Perl, include a vulnerable version of the FastCGI fcgi2 (aka fcgi) library.

The included FastCGI library is affected by CVE-2025-23016, causing an integer overflow (and resultant heap-based buffer overflow) via crafted nameLen or valueLen values in data to the IPC socket. This occurs in ReadParams in fcgiapp.c.

Affected Software

VendorProductVersion RangeStatus
ETHERFCGI0.44 <= 0.82affected

Weaknesses

  • CWE-1395: CWE-1395: Dependency on Vulnerable Third-Party Component
  • CWE-190: CWE-190 Integer Overflow or Wraparound
  • CWE-122: CWE-122 Heap-based Buffer Overflow

Workarounds

Updating to version 2.4.5 of the included fcgi2 library and rebuilding the Perl module will protect against the vulnerability.

We also recommend limiting potential remote access to the FastCGI socket by declaring it as a UNIX socket.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References