Critical severity9.3NVD Advisory· Published Jan 10, 2025· Updated Apr 15, 2026

CVE-2025-23016

Description

FastCGI fcgi2 (aka fcgi) 2.x through 2.4.4 has an integer overflow (and resultant heap-based buffer overflow) via crafted nameLen or valueLen values in data to the IPC socket. This occurs in ReadParams in fcgiapp.c.

Patches

12ae40e58f6b

https://github.com/fastcgi-archives/fcgi2via osv

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

www.openwall.com/lists/oss-security/2025/04/23/4nvd
github.com/FastCGI-Archives/fcgi2/issues/67nvd
github.com/FastCGI-Archives/fcgi2/releases/tag/2.4.5nvd
lists.debian.org/debian-lts-announce/2025/10/msg00009.htmlnvd
www.synacktiv.com/en/publications/cve-2025-23016-exploiting-the-fastcgi-librarynvd

News mentions

No linked articles in our index yet.

cvss	0.605
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000