CVE-2025-40907: FCGI versions 0.44 through 0.82, for Perl, include a vulnerable version of the FastCGI fcgi2 (aka fcgi) library

CVE-2025-40907: FCGI versions 0.44 through 0.82, for Perl, include a vulnerable version of the FastCGI fcgi2 (aka fcgi) library Stig Palmquist 16 May 2025 13:04 UTC

========================================================================
CVE-2025-40907                                       CPAN Security Group
========================================================================

         CVE ID:  CVE-2025-40907
   Distribution:  FCGI
       Versions:  from 0.44 through 0.82

       MetaCPAN:  https://metacpan.org/dist/FCGI
       VCS Repo:  https://github.com/FastCGI-Archives/fcgi2

FCGI versions 0.44 through 0.82, for Perl, include a vulnerable version
of the FastCGI fcgi2 (aka fcgi) library

Description
-----------
FCGI versions 0.44 through 0.82, for Perl, include a vulnerable version
of the FastCGI fcgi2 (aka fcgi) library.

The included FastCGI library is affected by  CVE-2025-23016, causing an
integer overflow (and resultant heap-based buffer overflow) via crafted
nameLen or valueLen values in data to the IPC socket. This occurs in
ReadParams in fcgiapp.c.

Problem types
-------------
CWE-1395: Dependency on Vulnerable Third-Party Component

Workarounds
-----------
Updating to version 2.4.5 of the included fcgi2 library and rebuilding
the Perl module will protect against the vulnerability.

We also recommend limiting potential remote access to the FastCGI
socket by declaring it as a UNIX socket.

References
----------
http://www.openwall.com/lists/oss-security/2025/04/23/4
https://github.com/FastCGI-Archives/fcgi2/issues/67
https://github.com/FastCGI-Archives/fcgi2/releases/tag/2.4.5
https://www.synacktiv.com/en/publications/cve-2025-23016-exploiting-the-fastcgi-library
https://github.com/perl-catalyst/FCGI/issues/14
https://patch-diff.githubusercontent.com/raw/FastCGI-Archives/fcgi2/pull/74.patch

Credits
-------
Synacktiv, finder