CVE-2025-23016
Published: 10 January 2025
Description
FastCGI fcgi2 (aka fcgi) 2.x through 2.4.4 has an integer overflow (and resultant heap-based buffer overflow) via crafted nameLen or valueLen values in data to the IPC socket. This occurs in ReadParams in fcgiapp.c.
Security Summary
CVE-2025-23016 is an integer overflow vulnerability in FastCGI fcgi2 (also known as fcgi), affecting versions 2.x through 2.4.4. The flaw occurs in the ReadParams function within fcgiapp.c, where crafted nameLen or valueLen values in data sent to the IPC socket trigger an integer overflow, leading to a heap-based buffer overflow. This issue is classified under CWE-190 (Integer Overflow or Wraparound) and carries a CVSS v3.1 base score of 9.3 (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
A local attacker with no privileges required can exploit this vulnerability by sending specially crafted data to the affected IPC socket. Successful exploitation could result in high-impact confidentiality, integrity, and availability violations, including potential remote code execution due to the heap-based buffer overflow and the changed scope (S:C) in the CVSS vector.
Mitigation guidance from advisories includes updating to fcgi2 version 2.4.5, as indicated in the project's GitHub release. Additional details are available in the GitHub issue tracker, OSS-security mailing list announcement, Synacktiv's exploitation publication, and Debian LTS security advisory, which address patching for affected distributions.
Details
- CWE(s)