oss-security - CVE-2025-23016: Integer & buffer overflow in fastcgi

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [day] [month] [year] [list]

Message-ID: <5a2f67fe-886b-4c2a-a023-d5d5acdfed3f@oracle.com>
Date: Wed, 23 Apr 2025 13:33:27 -0700
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2025-23016: Integer & buffer overflow in fastcgi <
 2.4.5

Version 2.4.5 of the fastcgi library was released last week:
https://github.com/FastCGI-Archives/fcgi2/releases/tag/2.4.5

It fixed CVE-2025-23016, which is described as "an integer overflow (and
resultant heap-based buffer overflow) via crafted nameLen or valueLen
values in data to the IPC socket. This occurs in ReadParams in fcgiapp.c."

The upstream bug report can be found at:
https://github.com/FastCGI-Archives/fcgi2/issues/67

and a detailed writeup from the discoverers at:
https://www.synacktiv.com/en/publications/cve-2025-23016-exploiting-the-fastcgi-library

which suggests both upgrading to the fixed version and "limiting potential
remote access to the FastCGI socket by declaring it as a UNIX socket."

-- 
         -Alan Coopersmith-                 alan.coopersmith@...cle.com
          Oracle Solaris Engineering - https://blogs.oracle.com/solaris

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.