Upstream information

CVE-2025-40907 at MITRE

Description

FCGI versions 0.44 through 0.82, for Perl, include a vulnerable version of the FastCGI fcgi2 (aka fcgi) library.

The included FastCGI library is affected by CVE-2025-23016, causing an integer overflow (and resultant heap-based buffer overflow) via crafted nameLen or valueLen values in data to the IPC socket. This occurs in ReadParams in fcgiapp.c.

SUSE information

Overall state of this security issue: Does not affect SUSE products

This issue is currently rated as having moderate severity.

CVSS v3 Scores
  CNA (CISA-ADP) SUSE
Base Score 5.3 5.3
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector Network Network
Attack Complexity Low Low
Privileges Required None None
User Interaction None None
Scope Unchanged Unchanged
Confidentiality Impact None None
Integrity Impact None None
Availability Impact Low Low
CVSSv3 Version 3.1 3.1
SUSE Bugzilla entry: 1243326 [NEW]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
SUSE Liberty Linux 7 LTSS
  • perl-FCGI >= 0.74-8.el7_9.1
Patchnames:
RHSA-2025:8625
SUSE Liberty Linux 8
  • perl-FCGI >= 0.78-12.module+el8.10.0+23147+df114ff4
Patchnames:
ESSA-2025:3015
ESSA-2025:3016
ESSA-2025:3017
ESSA-2025:3018
SUSE Liberty Linux 9
  • perl-FCGI >= 0.79-8.1.el9_6
Patchnames:
RHSA-2025:8635


SUSE Timeline for this CVE

CVE page created: Fri May 16 16:00:15 2025
CVE page last modified: Thu Aug 28 14:18:14 2025