Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for FCGI by ETHER

    CVE-2025-40907 (GCVE-0-2025-40907)

    Vulnerability from nvd – Published: 2025-05-16 13:03 – Updated: 2025-09-05 13:23
    VLAI
    Title
    FCGI versions 0.44 through 0.82, for Perl, include a vulnerable version of the FastCGI fcgi2 (aka fcgi) library
    Summary
    FCGI versions 0.44 through 0.82, for Perl, include a vulnerable version of the FastCGI fcgi2 (aka fcgi) library. The included FastCGI library is affected by CVE-2025-23016, causing an integer overflow (and resultant heap-based buffer overflow) via crafted nameLen or valueLen values in data to the IPC socket. This occurs in ReadParams in fcgiapp.c.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1395 - Dependency on Vulnerable Third-Party Component
    • CWE-190 - Integer Overflow or Wraparound
    • CWE-122 - Heap-based Buffer Overflow
    Assigner
    Impacted products
    Vendor Product Version
    ETHER FCGI Affected: 0.44 , ≤ 0.82 (custom)
    Create a notification for this product.
    Credits
    Synacktiv
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "LOW",
                  "baseScore": 5.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-40907",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-16T15:07:46.084885Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-16T15:09:00.138Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://cpan.org/modules",
              "defaultStatus": "unaffected",
              "packageName": "FCGI",
              "product": "FCGI",
              "programFiles": [
                "libfcgi/fcgiapp.c"
              ],
              "programRoutines": [
                {
                  "name": "ReadParams()"
                }
              ],
              "repo": "https://github.com/FastCGI-Archives/fcgi2",
              "vendor": "ETHER",
              "versions": [
                {
                  "lessThanOrEqual": "0.82",
                  "status": "affected",
                  "version": "0.44",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Synacktiv"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "FCGI versions 0.44 through 0.82, for Perl, include a vulnerable version of the FastCGI fcgi2 (aka fcgi) library.\u003cbr\u003e\u003cbr\u003eThe included FastCGI library is affected by  CVE-2025-23016, causing an integer overflow (and resultant heap-based buffer overflow) via crafted nameLen or valueLen values in data to the IPC socket. This occurs in ReadParams in fcgiapp.c.\u003cbr\u003e"
                }
              ],
              "value": "FCGI versions 0.44 through 0.82, for Perl, include a vulnerable version of the FastCGI fcgi2 (aka fcgi) library.\n\nThe included FastCGI library is affected by  CVE-2025-23016, causing an integer overflow (and resultant heap-based buffer overflow) via crafted nameLen or valueLen values in data to the IPC socket. This occurs in ReadParams in fcgiapp.c."
            }
          ],
          "exploits": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A proof of concept exploit for the underlying library exists at\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.synacktiv.com/en/publications/cve-2025-23016-exploiting-the-fastcgi-library#exploitation\"\u003ehttps://www.synacktiv.com/en/publications/cve-2025-23016-exploiting-the-fastcgi-library#exploitation\u003c/a\u003e"
                }
              ],
              "value": "A proof of concept exploit for the underlying library exists at\u00a0 https://www.synacktiv.com/en/publications/cve-2025-23016-exploiting-the-fastcgi-library#exploitation"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1395",
                  "description": "CWE-1395: Dependency on Vulnerable Third-Party Component",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-190",
                  "description": "CWE-190 Integer Overflow or Wraparound",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-122",
                  "description": "CWE-122 Heap-based Buffer Overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-05T13:23:05.630Z",
            "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
            "shortName": "CPANSec"
          },
          "references": [
            {
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2025/04/23/4"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/FastCGI-Archives/fcgi2/issues/67"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/FastCGI-Archives/fcgi2/releases/tag/2.4.5"
            },
            {
              "tags": [
                "technical-description"
              ],
              "url": "https://www.synacktiv.com/en/publications/cve-2025-23016-exploiting-the-fastcgi-library"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/perl-catalyst/FCGI/issues/14"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://patch-diff.githubusercontent.com/raw/FastCGI-Archives/fcgi2/pull/74.patch"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "FCGI versions 0.44 through 0.82, for Perl, include a vulnerable version of the FastCGI fcgi2 (aka fcgi) library",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Updating to version 2.4.5 of the included fcgi2 library and rebuilding the Perl module will protect against the vulnerability.\u003cbr\u003e\u003cbr\u003eWe also recommend limiting potential remote access to the FastCGI socket by declaring it as a UNIX socket.\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e"
                }
              ],
              "value": "Updating to version 2.4.5 of the included fcgi2 library and rebuilding the Perl module will protect against the vulnerability.\n\nWe also recommend limiting potential remote access to the FastCGI socket by declaring it as a UNIX socket."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "assignerShortName": "CPANSec",
        "cveId": "CVE-2025-40907",
        "datePublished": "2025-05-16T13:03:02.774Z",
        "dateReserved": "2025-04-16T09:05:34.360Z",
        "dateUpdated": "2025-09-05T13:23:05.630Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-40907 (GCVE-0-2025-40907)

    Vulnerability from cvelistv5 – Published: 2025-05-16 13:03 – Updated: 2025-09-05 13:23
    VLAI
    Title
    FCGI versions 0.44 through 0.82, for Perl, include a vulnerable version of the FastCGI fcgi2 (aka fcgi) library
    Summary
    FCGI versions 0.44 through 0.82, for Perl, include a vulnerable version of the FastCGI fcgi2 (aka fcgi) library. The included FastCGI library is affected by CVE-2025-23016, causing an integer overflow (and resultant heap-based buffer overflow) via crafted nameLen or valueLen values in data to the IPC socket. This occurs in ReadParams in fcgiapp.c.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1395 - Dependency on Vulnerable Third-Party Component
    • CWE-190 - Integer Overflow or Wraparound
    • CWE-122 - Heap-based Buffer Overflow
    Assigner
    Impacted products
    Vendor Product Version
    ETHER FCGI Affected: 0.44 , ≤ 0.82 (custom)
    Create a notification for this product.
    Credits
    Synacktiv
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "LOW",
                  "baseScore": 5.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-40907",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-16T15:07:46.084885Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-16T15:09:00.138Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://cpan.org/modules",
              "defaultStatus": "unaffected",
              "packageName": "FCGI",
              "product": "FCGI",
              "programFiles": [
                "libfcgi/fcgiapp.c"
              ],
              "programRoutines": [
                {
                  "name": "ReadParams()"
                }
              ],
              "repo": "https://github.com/FastCGI-Archives/fcgi2",
              "vendor": "ETHER",
              "versions": [
                {
                  "lessThanOrEqual": "0.82",
                  "status": "affected",
                  "version": "0.44",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Synacktiv"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "FCGI versions 0.44 through 0.82, for Perl, include a vulnerable version of the FastCGI fcgi2 (aka fcgi) library.\u003cbr\u003e\u003cbr\u003eThe included FastCGI library is affected by  CVE-2025-23016, causing an integer overflow (and resultant heap-based buffer overflow) via crafted nameLen or valueLen values in data to the IPC socket. This occurs in ReadParams in fcgiapp.c.\u003cbr\u003e"
                }
              ],
              "value": "FCGI versions 0.44 through 0.82, for Perl, include a vulnerable version of the FastCGI fcgi2 (aka fcgi) library.\n\nThe included FastCGI library is affected by  CVE-2025-23016, causing an integer overflow (and resultant heap-based buffer overflow) via crafted nameLen or valueLen values in data to the IPC socket. This occurs in ReadParams in fcgiapp.c."
            }
          ],
          "exploits": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A proof of concept exploit for the underlying library exists at\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.synacktiv.com/en/publications/cve-2025-23016-exploiting-the-fastcgi-library#exploitation\"\u003ehttps://www.synacktiv.com/en/publications/cve-2025-23016-exploiting-the-fastcgi-library#exploitation\u003c/a\u003e"
                }
              ],
              "value": "A proof of concept exploit for the underlying library exists at\u00a0 https://www.synacktiv.com/en/publications/cve-2025-23016-exploiting-the-fastcgi-library#exploitation"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1395",
                  "description": "CWE-1395: Dependency on Vulnerable Third-Party Component",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-190",
                  "description": "CWE-190 Integer Overflow or Wraparound",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-122",
                  "description": "CWE-122 Heap-based Buffer Overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-05T13:23:05.630Z",
            "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
            "shortName": "CPANSec"
          },
          "references": [
            {
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2025/04/23/4"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/FastCGI-Archives/fcgi2/issues/67"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/FastCGI-Archives/fcgi2/releases/tag/2.4.5"
            },
            {
              "tags": [
                "technical-description"
              ],
              "url": "https://www.synacktiv.com/en/publications/cve-2025-23016-exploiting-the-fastcgi-library"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/perl-catalyst/FCGI/issues/14"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://patch-diff.githubusercontent.com/raw/FastCGI-Archives/fcgi2/pull/74.patch"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "FCGI versions 0.44 through 0.82, for Perl, include a vulnerable version of the FastCGI fcgi2 (aka fcgi) library",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Updating to version 2.4.5 of the included fcgi2 library and rebuilding the Perl module will protect against the vulnerability.\u003cbr\u003e\u003cbr\u003eWe also recommend limiting potential remote access to the FastCGI socket by declaring it as a UNIX socket.\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e"
                }
              ],
              "value": "Updating to version 2.4.5 of the included fcgi2 library and rebuilding the Perl module will protect against the vulnerability.\n\nWe also recommend limiting potential remote access to the FastCGI socket by declaring it as a UNIX socket."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "assignerShortName": "CPANSec",
        "cveId": "CVE-2025-40907",
        "datePublished": "2025-05-16T13:03:02.774Z",
        "dateReserved": "2025-04-16T09:05:34.360Z",
        "dateUpdated": "2025-09-05T13:23:05.630Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }