CVE-2025-40907
Publication date 16 May 2025
Last updated 22 May 2025
Ubuntu priority
FCGI versions 0.44 through 0.82, for Perl, include a vulnerable version of the FastCGI fcgi2 (aka fcgi) library. The included FastCGI library is affected by CVE-2025-23016, causing an integer overflow (and resultant heap-based buffer overflow) via crafted nameLen or valueLen values in data to the IPC socket. This occurs in ReadParams in fcgiapp.c.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| libfcgi-perl | 25.04 plucky |
Not affected
|
| 24.10 oracular |
Not affected
|
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Fixed 0.79-1ubuntu0.1
|
|
| 18.04 LTS bionic |
Fixed 0.78-2ubuntu0.1~esm1
|
|
| 16.04 LTS xenial |
Fixed 0.77-1ubuntu0.1~esm1
|
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu ProReferences
Related Ubuntu Security Notices (USN)
- USN-7527-1
- libfcgi-perl vulnerability
- 22 May 2025
Other references
- https://www.cve.org/CVERecord?id=CVE-2025-40907
- https://lists.security.metacpan.org/cve-announce/msg/29651740/
- http://www.openwall.com/lists/oss-security/2025/04/23/4
- https://github.com/FastCGI-Archives/fcgi2/issues/67
- https://github.com/FastCGI-Archives/fcgi2/releases/tag/2.4.5
- https://github.com/perl-catalyst/FCGI/issues/14
- https://patch-diff.githubusercontent.com/raw/FastCGI-Archives/fcgi2/pull/74.patch
- https://www.synacktiv.com/en/publications/cve-2025-23016-exploiting-the-fastcgi-library