CVE-2025-23016 — Integer Overflow or Wraparound in Fcgi

CWE-190 — Integer Overflow or Wraparound CWE-1395 — Dependency on Vulnerable Third-Party Component CWE-122 — Heap-based Buffer Overflow13 documents8 sources

Severity

9.3CRITICALNVD

NVD5.3

EPSS

0.1%

top 75.63%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Libfcgi Debian Libfcgi-perl Ether Fcgi +1 more

Timeline

PublishedJan 10

Latest updateJul 16

Description

FastCGI fcgi2 (aka fcgi) 2.x through 2.4.4 has an integer overflow (and resultant heap-based buffer overflow) via crafted nameLen or valueLen values in data to the IPC socket. This occurs in ReadParams in fcgiapp.c.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 2.5 | Impact: 6.0

Affected Packages4 packages

▶NVDfastcgi/fcgi0.44 — 0.82

▶debiandebian/libfcgi< libfcgi 2.4.2-2+deb12u1 (bookworm)

▶debiandebian/libfcgi-perl< libfcgi-perl 0.79+ds-2 (bookworm)

▶CVEListV5ether/fcgi0.44 — 0.82

🔴Vulnerability Details

OSV

CVE-2025-40907: FCGI versions 0↗2025-05-16

▶

GHSA

GHSA-488m-4fx8-f36v: FCGI versions 0↗2025-05-16

▶

GHSA

GHSA-9825-56cx-cfg6: FastCGI fcgi2 (aka fcgi) 2↗2025-01-10

▶

OSV

CVE-2025-23016: FastCGI fcgi2 (aka fcgi) 2↗2025-01-10

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Risk Matrix: Third Party (FastCGI fcgi2) — CVE-2025-23016↗2025-07-15

▶

Red Hat

perl-fcgi: FCGI versions 0.44 through 0.82, for Perl, include a vulnerable version of the FastCGI fcgi2 (aka fcgi) library↗2025-05-16

▶

Ubuntu

FastCGI vulnerability↗2025-05-06

▶

Debian

CVE-2025-23016: libfcgi - FastCGI fcgi2 (aka fcgi) 2.x through 2.4.4 has an integer overflow (and resultan...↗2025

▶

Debian

CVE-2025-40907: libfcgi-perl - FCGI versions 0.44 through 0.82, for Perl, include a vulnerable version of the F...↗2025

▶

🕵️Threat Intelligence

Qualys

Oracle Critical Patch Update, July 2025 Security Update Review↗2025-07-16

▶

Qualys

Oracle Critical Patch Update, July 2025 Security Update Review | Qualys↗2025-07-16

▶