CVE-2025-40907
Severity CVSS v4.0:
Pending analysis
Type:
CWE-122
Heap-based Buffer Overflow
Publication date:
16/05/2025
Last modified:
29/09/2025
Description
FCGI versions 0.44 through 0.82, for Perl, include a vulnerable version of the FastCGI fcgi2 (aka fcgi) library.<br />
<br />
The included FastCGI library is affected by CVE-2025-23016, causing an integer overflow (and resultant heap-based buffer overflow) via crafted nameLen or valueLen values in data to the IPC socket. This occurs in ReadParams in fcgiapp.c.
Impact
Base Score 3.x
5.30
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:fastcgi:fcgi:*:*:*:*:*:perl:*:* | 0.44 (including) | 0.82 (including) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://www.openwall.com/lists/oss-security/2025/04/23/4
- https://github.com/FastCGI-Archives/fcgi2/issues/67
- https://github.com/FastCGI-Archives/fcgi2/releases/tag/2.4.5
- https://github.com/perl-catalyst/FCGI/issues/14
- https://patch-diff.githubusercontent.com/raw/FastCGI-Archives/fcgi2/pull/74.patch
- https://www.synacktiv.com/en/publications/cve-2025-23016-exploiting-the-fastcgi-library