CVE-2025-23016

CVE-2025-23016

Name

CVE-2025-23016

Description

FastCGI fcgi2 (aka fcgi) 2.x through 2.4.4 has an integer overflow (and resultant heap-based buffer overflow) via crafted nameLen or valueLen values in data to the IPC socket. This occurs in ReadParams in fcgiapp.c.

NVD Severity

high

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
cve@mitre.org	https://github.com/FastCGI-Archives/fcgi2/issues/67
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2025/04/23/4
cve@mitre.org	https://github.com/FastCGI-Archives/fcgi2/releases/tag/2.4.5
cve@mitre.org	https://www.synacktiv.com/en/publications/cve-2025-23016-exploiting-the-fastcgi-library

Type

URI

cve@mitre.org

https://github.com/FastCGI-Archives/fcgi2/issues/67

af854a3a-2127-422b-91ae-364da2661108

http://www.openwall.com/lists/oss-security/2025/04/23/4

cve@mitre.org

https://github.com/FastCGI-Archives/fcgi2/releases/tag/2.4.5

cve@mitre.org

https://www.synacktiv.com/en/publications/cve-2025-23016-exploiting-the-fastcgi-library

CPE URI	Source package	Min version	Max version
	fcgi	>= 2.0.0	<= 2.4.4

CPE URI

Source package

Min version

Max version

fcgi

>= 2.0.0

<= 2.4.4

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
fcgi	edge-main	2.4.2-r4	Carlo Landmeter <clandmeter@alpinelinux.org>	possibly vulnerable
fcgi	edge-main	2.4.3-r0	Carlo Landmeter <clandmeter@alpinelinux.org>	possibly vulnerable
fcgi	edge-main	2.4.4-r0	Carlo Landmeter <clandmeter@alpinelinux.org>	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

fcgi

edge-main

2.4.2-r4

Carlo Landmeter <clandmeter@alpinelinux.org>

possibly vulnerable

fcgi

edge-main