CVE-2025-40907

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Name of the Vulnerable Software and Affected Versions: FCGI versions 0.44 through 0.82

Description: The included FastCGI library in FCGI is affected, causing an integer overflow and resultant heap-based buffer overflow via crafted nameLen or valueLen values in data to the IPC socket. This occurs in the ReadParams function in fcgiapp.c.

Recommendations: For FCGI versions 0.44 through 0.82, consider disabling the ReadParams function in fcgiapp.c as a temporary workaround until a patch is available. Restrict access to the IPC socket to minimize the risk of exploitation. Avoid using crafted nameLen or valueLen values in data to the IPC socket until the issue is resolved.

Exploit

Fix

Integer Overflow

Heap Based Buffer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-190CWE-1395CWE-122

Related Identifiers

ALSA-2025:8635

ALSA-2025:8636

ALSA-2025:8696

AZL-61899

AZL-61905

BDU:2025-09005

CESA-2025_8696

CVE-2025-40907

INFSA-2025_8635

INFSA-2025_8696

MGASA-2025-0277

OESA-2025-1544

RHSA-2025:8625

RHSA-2025:8635

RHSA-2025:8636

RHSA-2025:8677

RHSA-2025:8678

RHSA-2025:8696

RHSA-2025:8697

RHSA-2025:8698

RHSA-2025:8703

RHSA-2025:8829

RHSA-2025:8890

RHSA-2025_8635

RHSA-2025_8696

USN-7527-1

Affected Products

Almalinux

Centos

Fcgi

Linuxmint

Red Hat

Red Os

Rocky Linux

Ubuntu

CVE-2025-40907

Weakness Enumeration

Related Identifiers

Affected Products

References · 52