Vulnerabilites related to FastCGI - fcgi
Vulnerability from fkie_nvd
Published
2015-02-19 15:59
Modified
2025-04-12 10:46
Severity ?
Summary
FastCGI (aka fcgi and libfcgi) 2.4.0 allows remote attackers to cause a denial of service (segmentation fault and crash) via a large number of connections.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:fastcgi:fcgi:2.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A32B790A-9C4A-4365-8D4E-715A858F4BE4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "FastCGI (aka fcgi and libfcgi) 2.4.0 allows remote attackers to cause a denial of service (segmentation fault and crash) via a large number of connections."
},
{
"lang": "es",
"value": "FastCGI (tambi\u00e9n conocido como fcgi y libfcgi) 2.4.0 permite a atacantes remotos causar una denegaci\u00f3n de servicio (fallo de segmentaci\u00f3n y ca\u00edda) a trav\u00e9s de un n\u00famero grande de conexiones."
}
],
"id": "CVE-2012-6687",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2015-02-19T15:59:00.047",
"references": [
{
"source": "cve@mitre.org",
"url": "http://advisories.mageia.org/MGASA-2015-0184.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.openwall.com/lists/oss-security/2015/02/06/4"
},
{
"source": "cve@mitre.org",
"url": "http://www.openwall.com/lists/oss-security/2015/02/07/4"
},
{
"source": "cve@mitre.org",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681591"
},
{
"source": "cve@mitre.org",
"url": "https://bugs.launchpad.net/ubuntu/+source/libfcgi/+bug/933417"
},
{
"source": "cve@mitre.org",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1189958"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/100696"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://advisories.mageia.org/MGASA-2015-0184.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2015/02/06/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2015/02/07/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681591"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://bugs.launchpad.net/ubuntu/+source/libfcgi/+bug/933417"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1189958"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/100696"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-05-16 13:15
Modified
2025-07-02 01:01
Severity ?
Summary
FCGI versions 0.44 through 0.82, for Perl, include a vulnerable version of the FastCGI fcgi2 (aka fcgi) library.
The included FastCGI library is affected by CVE-2025-23016, causing an integer overflow (and resultant heap-based buffer overflow) via crafted nameLen or valueLen values in data to the IPC socket. This occurs in ReadParams in fcgiapp.c.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:fastcgi:fcgi:*:*:*:*:*:perl:*:*",
"matchCriteriaId": "1C317242-A340-4C14-BD59-592760BCB0B6",
"versionEndIncluding": "0.82",
"versionStartIncluding": "0.44",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "FCGI versions 0.44 through 0.82, for Perl, include a vulnerable version of the FastCGI fcgi2 (aka fcgi) library.\n\nThe included FastCGI library is affected by CVE-2025-23016, causing an integer overflow (and resultant heap-based buffer overflow) via crafted nameLen or valueLen values in data to the IPC socket. This occurs in ReadParams in fcgiapp.c."
},
{
"lang": "es",
"value": "Las versiones 0.44 a 0.82 de FCGI para Perl incluyen una versi\u00f3n vulnerable de la librer\u00eda FastCGI fcgi2 (tambi\u00e9n conocida como fcgi). Esta librer\u00eda est\u00e1 afectada por CVE-2025-23016, lo que provoca un desbordamiento de enteros (y el consiguiente desbordamiento del b\u00fafer en el mont\u00f3n) mediante valores nameLen o valueLen manipulados en los datos del socket IPC. Esto ocurre en ReadParams de fcgiapp.c."
}
],
"id": "CVE-2025-40907",
"lastModified": "2025-07-02T01:01:01.290",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-05-16T13:15:52.683",
"references": [
{
"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2025/04/23/4"
},
{
"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"tags": [
"Exploit",
"Issue Tracking"
],
"url": "https://github.com/FastCGI-Archives/fcgi2/issues/67"
},
{
"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"tags": [
"Release Notes"
],
"url": "https://github.com/FastCGI-Archives/fcgi2/releases/tag/2.4.5"
},
{
"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"tags": [
"Exploit",
"Issue Tracking"
],
"url": "https://github.com/perl-catalyst/FCGI/issues/14"
},
{
"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"tags": [
"Patch"
],
"url": "https://patch-diff.githubusercontent.com/raw/FastCGI-Archives/fcgi2/pull/74.patch"
},
{
"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.synacktiv.com/en/publications/cve-2025-23016-exploiting-the-fastcgi-library"
}
],
"sourceIdentifier": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-190"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2025-23016 (GCVE-0-2025-23016)
Vulnerability from cvelistv5
Published
2025-01-10 00:00
Modified
2025-04-24 15:01
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-190 - Integer Overflow or Wraparound
Summary
FastCGI fcgi2 (aka fcgi) 2.x through 2.4.4 has an integer overflow (and resultant heap-based buffer overflow) via crafted nameLen or valueLen values in data to the IPC socket. This occurs in ReadParams in fcgiapp.c.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-23016",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-24T15:01:43.072364Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-24T15:01:53.855Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.synacktiv.com/en/publications/cve-2025-23016-exploiting-the-fastcgi-library"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-04-23T23:02:54.419Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/04/23/4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "fcgi",
"vendor": "FastCGI",
"versions": [
{
"lessThanOrEqual": "2.4.4",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:fastcgi:fcgi:*:*:*:*:*:*:*:*",
"versionEndIncluding": "2.4.4",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FastCGI fcgi2 (aka fcgi) 2.x through 2.4.4 has an integer overflow (and resultant heap-based buffer overflow) via crafted nameLen or valueLen values in data to the IPC socket. This occurs in ReadParams in fcgiapp.c."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190 Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T23:26:53.495Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/FastCGI-Archives/fcgi2/issues/67"
},
{
"url": "https://github.com/FastCGI-Archives/fcgi2/releases/tag/2.4.5"
},
{
"url": "https://www.synacktiv.com/en/publications/cve-2025-23016-exploiting-the-fastcgi-library"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-23016",
"datePublished": "2025-01-10T00:00:00.000Z",
"dateReserved": "2025-01-10T00:00:00.000Z",
"dateUpdated": "2025-04-24T15:01:53.855Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-6687 (GCVE-0-2012-6687)
Vulnerability from cvelistv5
Published
2015-02-19 15:00
Modified
2024-08-06 21:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
FastCGI (aka fcgi and libfcgi) 2.4.0 allows remote attackers to cause a denial of service (segmentation fault and crash) via a large number of connections.
References
| ► | URL | Tags | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T21:36:02.206Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1189958"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.launchpad.net/ubuntu/+source/libfcgi/+bug/933417"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://advisories.mageia.org/MGASA-2015-0184.html"
},
{
"name": "[oss-security] 20150207 Re: CVE request for denial-of-service vulnerability in fcgi",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2015/02/07/4"
},
{
"name": "libfcgi-connections-dos(100696)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/100696"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681591"
},
{
"name": "[oss-security] 20150206 CVE request for denial-of-service vulnerability in fcgi",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2015/02/06/4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-06-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "FastCGI (aka fcgi and libfcgi) 2.4.0 allows remote attackers to cause a denial of service (segmentation fault and crash) via a large number of connections."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-07T15:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1189958"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.launchpad.net/ubuntu/+source/libfcgi/+bug/933417"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://advisories.mageia.org/MGASA-2015-0184.html"
},
{
"name": "[oss-security] 20150207 Re: CVE request for denial-of-service vulnerability in fcgi",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2015/02/07/4"
},
{
"name": "libfcgi-connections-dos(100696)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/100696"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681591"
},
{
"name": "[oss-security] 20150206 CVE request for denial-of-service vulnerability in fcgi",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2015/02/06/4"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-6687",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "FastCGI (aka fcgi and libfcgi) 2.4.0 allows remote attackers to cause a denial of service (segmentation fault and crash) via a large number of connections."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1189958",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1189958"
},
{
"name": "https://bugs.launchpad.net/ubuntu/+source/libfcgi/+bug/933417",
"refsource": "CONFIRM",
"url": "https://bugs.launchpad.net/ubuntu/+source/libfcgi/+bug/933417"
},
{
"name": "http://advisories.mageia.org/MGASA-2015-0184.html",
"refsource": "CONFIRM",
"url": "http://advisories.mageia.org/MGASA-2015-0184.html"
},
{
"name": "[oss-security] 20150207 Re: CVE request for denial-of-service vulnerability in fcgi",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2015/02/07/4"
},
{
"name": "libfcgi-connections-dos(100696)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/100696"
},
{
"name": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681591",
"refsource": "CONFIRM",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681591"
},
{
"name": "[oss-security] 20150206 CVE request for denial-of-service vulnerability in fcgi",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2015/02/06/4"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2012-6687",
"datePublished": "2015-02-19T15:00:00",
"dateReserved": "2015-02-07T00:00:00",
"dateUpdated": "2024-08-06T21:36:02.206Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40907 (GCVE-0-2025-40907)
Vulnerability from cvelistv5
Published
2025-05-16 13:03
Modified
2025-05-16 15:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-1395 - Dependency on Vulnerable Third-Party Component
Summary
FCGI versions 0.44 through 0.82, for Perl, include a vulnerable version of the FastCGI fcgi2 (aka fcgi) library.
The included FastCGI library is affected by CVE-2025-23016, causing an integer overflow (and resultant heap-based buffer overflow) via crafted nameLen or valueLen values in data to the IPC socket. This occurs in ReadParams in fcgiapp.c.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-40907",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-16T15:07:46.084885Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-16T15:09:00.138Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "FCGI",
"product": "FCGI",
"programFiles": [
"libfcgi/fcgiapp.c"
],
"programRoutines": [
{
"name": "ReadParams()"
}
],
"repo": "https://github.com/FastCGI-Archives/fcgi2",
"vendor": "ETHER",
"versions": [
{
"lessThanOrEqual": "0.82",
"status": "affected",
"version": "0.44",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Synacktiv"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "FCGI versions 0.44 through 0.82, for Perl, include a vulnerable version of the FastCGI fcgi2 (aka fcgi) library.\u003cbr\u003e\u003cbr\u003eThe included FastCGI library is affected by CVE-2025-23016, causing an integer overflow (and resultant heap-based buffer overflow) via crafted nameLen or valueLen values in data to the IPC socket. This occurs in ReadParams in fcgiapp.c.\u003cbr\u003e"
}
],
"value": "FCGI versions 0.44 through 0.82, for Perl, include a vulnerable version of the FastCGI fcgi2 (aka fcgi) library.\n\nThe included FastCGI library is affected by CVE-2025-23016, causing an integer overflow (and resultant heap-based buffer overflow) via crafted nameLen or valueLen values in data to the IPC socket. This occurs in ReadParams in fcgiapp.c."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A proof of concept exploit for the underlying library exists at\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.synacktiv.com/en/publications/cve-2025-23016-exploiting-the-fastcgi-library#exploitation\"\u003ehttps://www.synacktiv.com/en/publications/cve-2025-23016-exploiting-the-fastcgi-library#exploitation\u003c/a\u003e"
}
],
"value": "A proof of concept exploit for the underlying library exists at\u00a0 https://www.synacktiv.com/en/publications/cve-2025-23016-exploiting-the-fastcgi-library#exploitation"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "CWE-1395: Dependency on Vulnerable Third-Party Component",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-16T13:03:02.774Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2025/04/23/4"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/FastCGI-Archives/fcgi2/issues/67"
},
{
"tags": [
"patch"
],
"url": "https://github.com/FastCGI-Archives/fcgi2/releases/tag/2.4.5"
},
{
"tags": [
"technical-description"
],
"url": "https://www.synacktiv.com/en/publications/cve-2025-23016-exploiting-the-fastcgi-library"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/perl-catalyst/FCGI/issues/14"
},
{
"tags": [
"patch"
],
"url": "https://patch-diff.githubusercontent.com/raw/FastCGI-Archives/fcgi2/pull/74.patch"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "FCGI versions 0.44 through 0.82, for Perl, include a vulnerable version of the FastCGI fcgi2 (aka fcgi) library",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Updating to version 2.4.5 of the included fcgi2 library and rebuilding the Perl module will protect against the vulnerability.\u003cbr\u003e\u003cbr\u003eWe also recommend limiting potential remote access to the FastCGI socket by declaring it as a UNIX socket.\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Updating to version 2.4.5 of the included fcgi2 library and rebuilding the Perl module will protect against the vulnerability.\n\nWe also recommend limiting potential remote access to the FastCGI socket by declaring it as a UNIX socket."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2025-40907",
"datePublished": "2025-05-16T13:03:02.774Z",
"dateReserved": "2025-04-16T09:05:34.360Z",
"dateUpdated": "2025-05-16T15:09:00.138Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}