CVE-2025-40907

NameCVE-2025-40907
DescriptionFCGI versions 0.44 through 0.82, for Perl, include a vulnerable version of the FastCGI fcgi2 (aka fcgi) library. The included FastCGI library is affected by CVE-2025-23016, causing an integer overflow (and resultant heap-based buffer overflow) via crafted nameLen or valueLen values in data to the IPC socket. This occurs in ReadParams in fcgiapp.c.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libfcgi-perl (PTS)bullseye0.79+ds-2fixed
bookworm0.82+ds-2fixed
forky, sid, trixie0.82+ds-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libfcgi-perlsource(unstable)0.79+ds-2

Notes

https://lists.security.metacpan.org/cve-announce/msg/29651740/
Since libfcgi-perl/0.79+ds-1 in experimental libfcgi-perl is repackaged and
uses the system libfcgi system library. Use 0.79+ds-2 as the fixed version.
Search for package or bug name: Reporting problems