FCGI versions 0.44 through 0.82, for Perl, include a vulnerable version of the FastCGI fcgi2 (aka fcgi) library.

The included FastCGI library is affected by CVE-2025-23016, causing an integer overflow (and resultant heap-based buffer overflow) via crafted nameLen or valueLen values in data to the IPC socket. This occurs in ReadParams in fcgiapp.c.
Fixes

Solution

No solution given by the vendor.


Workaround

Updating to version 2.4.5 of the included fcgi2 library and rebuilding the Perl module will protect against the vulnerability. We also recommend limiting potential remote access to the FastCGI socket by declaring it as a UNIX socket.

History

Fri, 05 Sep 2025 13:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00099}

epss

{'score': 0.00107}


Wed, 02 Jul 2025 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Fastcgi
Fastcgi fcgi
Weaknesses CWE-190
CPEs cpe:2.3:a:fastcgi:fcgi:*:*:*:*:*:perl:*:*
Vendors & Products Fastcgi
Fastcgi fcgi

Thu, 12 Jun 2025 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:rhel_aus:8.6
cpe:/a:redhat:rhel_e4s:8.6
cpe:/a:redhat:rhel_tus:8.6

Wed, 11 Jun 2025 14:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:rhel_aus:8.2

Tue, 10 Jun 2025 06:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat enterprise Linux
Redhat rhel Aus
Redhat rhel E4s
Redhat rhel Els
Redhat rhel Eus
Redhat rhel Tus
CPEs cpe:/a:redhat:enterprise_linux:8
cpe:/a:redhat:enterprise_linux:9
cpe:/a:redhat:rhel_aus:8.4
cpe:/a:redhat:rhel_e4s:8.8
cpe:/a:redhat:rhel_e4s:9.0
cpe:/a:redhat:rhel_e4s:9.2
cpe:/a:redhat:rhel_eus:9.4
cpe:/a:redhat:rhel_tus:8.8
cpe:/o:redhat:enterprise_linux:10.0
cpe:/o:redhat:rhel_els:7
Vendors & Products Redhat
Redhat enterprise Linux
Redhat rhel Aus
Redhat rhel E4s
Redhat rhel Els
Redhat rhel Eus
Redhat rhel Tus

Sat, 17 May 2025 03:30:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Important


Fri, 16 May 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 16 May 2025 13:15:00 +0000

Type Values Removed Values Added
Description FCGI versions 0.44 through 0.82, for Perl, include a vulnerable version of the FastCGI fcgi2 (aka fcgi) library. The included FastCGI library is affected by CVE-2025-23016, causing an integer overflow (and resultant heap-based buffer overflow) via crafted nameLen or valueLen values in data to the IPC socket. This occurs in ReadParams in fcgiapp.c.
Title FCGI versions 0.44 through 0.82, for Perl, include a vulnerable version of the FastCGI fcgi2 (aka fcgi) library
Weaknesses CWE-1395
References

cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2025-09-05T13:23:05.630Z

Reserved: 2025-04-16T09:05:34.360Z

Link: CVE-2025-40907

cve-icon Vulnrichment

Updated: 2025-05-16T15:08:50.489Z

cve-icon NVD

Status : Analyzed

Published: 2025-05-16T13:15:52.683

Modified: 2025-09-29T22:43:59.123

Link: CVE-2025-40907

cve-icon Redhat

Severity : Important

Publid Date: 2025-05-16T13:03:02Z

Links: CVE-2025-40907 - Bugzilla

cve-icon OpenCVE Enrichment

No data.