ETHER FCGI up to 0.82 on Perl fcgiapp.c ReadParams nameLen/valueLen vulnerable third-party component

Summaryinfo

A vulnerability, which was classified as problematic, was found in ETHER FCGI up to 0.82 on Perl. This vulnerability affects the function ReadParams of the file fcgiapp.c. Such manipulation of the argument nameLen/valueLen leads to vulnerable third-party component. This vulnerability is referenced as CVE-2025-40907. Furthermore, an exploit is available. You should upgrade the affected component.

Detailsinfo

A vulnerability was found in ETHER FCGI up to 0.82 on Perl and classified as problematic. Affected by this issue is the function ReadParams of the file fcgiapp.c. The manipulation of the argument nameLen/valueLen with an unknown input leads to a vulnerable third-party component vulnerability. Using CWE to declare the problem leads to CWE-1395. The product has a dependency on a third-party component that contains one or more known vulnerabilities. The impact remains unknown. CVE summarizes:

FCGI versions 0.44 through 0.82, for Perl, include a vulnerable version of the FastCGI fcgi2 (aka fcgi) library. The included FastCGI library is affected by CVE-2025-23016, causing an integer overflow (and resultant heap-based buffer overflow) via crafted nameLen or valueLen values in data to the IPC socket. This occurs in ReadParams in fcgiapp.c.

The advisory is available at openwall.com. This vulnerability is handled as CVE-2025-40907 since 04/16/2025. Technical details as well as a public exploit are known.

The exploit is available at synacktiv.com. It is declared as proof-of-concept. The vulnerability scanner Nessus provides a plugin with the ID 237968 (RHEL 9 : perl-FCGI (RHSA-2025:8635)), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 2.4.5 eliminates this vulnerability. The upgrade is hosted for download at github.com. Applying a patch is able to eliminate this problem. The bugfix is ready for download at patch-diff.githubusercontent.com. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the databases at Tenable (237968) and EUVD (EUVD-2025-15438). If you want to get best quality of vulnerability data, you may have to visit VulDB.

Productinfo

Vendor

• ETHER

Name

• FCGI

Version

• 0.1
• 0.2
• 0.3
• 0.4
• 0.5
• 0.6
• 0.7
• 0.8
• 0.9
• 0.10
• 0.11
• 0.12
• 0.13
• 0.14
• 0.15
• 0.16
• 0.17
• 0.18
• 0.19
• 0.20
• 0.21
• 0.22
• 0.23
• 0.24
• 0.25
• 0.26
• 0.27
• 0.28
• 0.29
• 0.30
• 0.31
• 0.32
• 0.33
• 0.34
• 0.35
• 0.36
• 0.37
• 0.38
• 0.39
• 0.40
• 0.41
• 0.42
• 0.43
• 0.44
• 0.45
• 0.46
• 0.47
• 0.48
• 0.49
• 0.50
• 0.51
• 0.52
• 0.53
• 0.54
• 0.55
• 0.56
• 0.57
• 0.58
• 0.59
• 0.60
• 0.61
• 0.62
• 0.63
• 0.64
• 0.65
• 0.66
• 0.67
• 0.68
• 0.69
• 0.70
• 0.71
• 0.72
• 0.73
• 0.74
• 0.75
• 0.76
• 0.77
• 0.78
• 0.79
• 0.80
• 0.81
• 0.82

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Discussion