CVE-2025-40907Dependency on Vulnerable Third-Party Component in Libfcgi-perl

CWE-1395Dependency on Vulnerable Third-Party ComponentCWE-122Heap-based Buffer OverflowCWE-190Integer Overflow or Wraparound6 documents6 sources
Severity
5.3MEDIUMNVD
OSV9.3
EPSS
0.8%
top 26.67%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Debian Libfcgi-perlFastcgi Fcgi
Timeline
PublishedMay 16
Latest updateMay 22

Description

FCGI versions 0.44 through 0.82, for Perl, include a vulnerable version of the FastCGI fcgi2 (aka fcgi) library. The included FastCGI library is affected by CVE-2025-23016, causing an integer overflow (and resultant heap-based buffer overflow) via crafted nameLen or valueLen values in data to the IPC socket. This occurs in ReadParams in fcgiapp.c.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

NVDfastcgi/fcgi0.440.82
debiandebian/libfcgi-perl< libfcgi-perl 0.79+ds-2 (bookworm)

Patches

Patch: patch-diff.githubusercontent.com

🔴Vulnerability Details

2
OSV
CVE-2025-40907: FCGI versions 02025-05-16
GHSA
GHSA-488m-4fx8-f36v: FCGI versions 02025-05-16

📋Vendor Advisories

3
Ubuntu
libfcgi-perl vulnerability2025-05-22
Red Hat
perl-fcgi: FCGI versions 0.44 through 0.82, for Perl, include a vulnerable version of the FastCGI fcgi2 (aka fcgi) library2025-05-16
Debian
CVE-2025-40907: libfcgi-perl - FCGI versions 0.44 through 0.82, for Perl, include a vulnerable version of the F...2025
CVE-2025-40907 — Debian Libfcgi-perl vulnerability | cvebase