CVE-2025-40907

FCGI versions 0.44 through 0.82, for Perl, include a vulnerable version of the FastCGI fcgi2 (aka fcgi) library.

The included FastCGI library is affected by  CVE-2025-23016, causing an integer overflow (and resultant heap-based buffer overflow) via crafted nameLen or valueLen values in data to the IPC socket. This occurs in ReadParams in fcgiapp.c.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CPANSecCNA
---
---
CISA-ADPADP
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 23%
Debian logo
Debian Releases
Debian Product
Codename
libfcgi-perl
bullseye
0.79+ds-2
fixed
bookworm
0.82+ds-2
fixed
sid
0.82+ds-3
fixed
trixie
0.82+ds-3
fixed
References
http://www.openwall.com/lists/oss-security/2025/04/23/4
https://github.com/FastCGI-Archives/fcgi2/issues/67
https://github.com/FastCGI-Archives/fcgi2/releases/tag/2.4.5
https://github.com/perl-catalyst/FCGI/issues/14
https://patch-diff.githubusercontent.com/raw/FastCGI-Archives/fcgi2/pull/74.patch
https://www.synacktiv.com/en/publications/cve-2025-23016-exploiting-the-fastcgi-library