{"id":"CVE-2025-40907","details":"FCGI versions 0.44 through 0.82, for Perl, include a vulnerable version of the FastCGI fcgi2 (aka fcgi) library.\n\nThe included FastCGI library is affected by  CVE-2025-23016, causing an integer overflow (and resultant heap-based buffer overflow) via crafted nameLen or valueLen values in data to the IPC socket. This occurs in ReadParams in fcgiapp.c.","modified":"2026-04-16T04:30:56.837474858Z","published":"2025-05-16T13:15:52.683Z","related":["ALSA-2025:8635","ALSA-2025:8636","ALSA-2025:8696"],"references":[{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2025/04/23/4"},{"type":"ADVISORY","url":"https://github.com/FastCGI-Archives/fcgi2/releases/tag/2.4.5"},{"type":"REPORT","url":"https://github.com/perl-catalyst/FCGI/issues/14"},{"type":"REPORT","url":"https://github.com/FastCGI-Archives/fcgi2/issues/67"},{"type":"FIX","url":"https://patch-diff.githubusercontent.com/raw/FastCGI-Archives/fcgi2/pull/74.patch"},{"type":"EVIDENCE","url":"https://www.synacktiv.com/en/publications/cve-2025-23016-exploiting-the-fastcgi-library"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/fastcgi-archives/fcgi2","events":[{"introduced":"0"},{"fixed":"12ae40e58f6b1d8325408ff6765894f09994f5a9"}]},{"type":"GIT","repo":"https://github.com/perl-catalyst/FCGI","events":[{"introduced":"0"},{"last_affected":"5bd9f1f966be0633c27e01f5b0508134d2452f0b"}],"database_specific":{"versions":[{"introduced":"0.44"},{"last_affected":"0.82"}]}}],"versions":["0.67_01","0.67_01-RC1","0.68","0.68_01","0.68_02","0.70","0.71","0.71_01","0.71_02","0.71_03","0.72","0.73","0.74","0.75","0.76","0.77","0.78","0.80","0.81","0.82","2.1.1","2.2.2","2.2.3","2.4.0","2.4.1","2.4.1.1","2.4.2","2.4.4"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-40907.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}]}