CVE-2025-40907
FCGI versions 0.44 through 0.82, for Perl, include a vulnerable version of the FastCGI fcgi2 (aka fcgi) library
In short
The Perl FCGI module versions 0.44 to 0.82 include a vulnerable FastCGI library that can be exploited by sending crafted data to cause a crash or potentially execute code on the server.
Technical detail
An integer overflow in the FastCGI fcgi2 library's ReadParams function (fcgiapp.c) allows remote attackers to trigger a heap-based buffer overflow via malicious nameLen or valueLen values in IPC socket data. Exploitation requires the ability to send crafted FastCGI protocol messages to the application.
Summary generated and translated by AI from the official description.
FCGI versions 0.44 through 0.82, for Perl, include a vulnerable version of the FastCGI fcgi2 (aka fcgi) library.
The included FastCGI library is affected by CVE-2025-23016, causing an integer overflow (and resultant heap-based buffer overflow) via crafted nameLen or valueLen values in data to the IPC socket. This occurs in ReadParams in fcgiapp.c.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Affected products
ETHER · FCGIWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/FastCGI-Archives/fcgi2/issues/67https://github.com/FastCGI-Archives/fcgi2/releases/tag/2.4.5https://github.com/perl-catalyst/FCGI/issues/14https://patch-diff.githubusercontent.com/raw/FastCGI-Archives/fcgi2/pull/74.patchhttps://www.synacktiv.com/en/publications/cve-2025-23016-exploiting-the-fastcgi-libraryhttp://www.openwall.com/lists/oss-security/2025/04/23/4